Cybersecurity for Chicago Nonprofits: You Handle Sensitive Data Too

Nonprofits are targets. Nobody talks about it.

When people think about cybersecurity targets, they think banks. Hospitals. Tech companies. Government agencies. Big fish with big budgets.

Nobody thinks about the community organization on 79th Street with 8 staff members, a shared Google Drive full of client case files, and a volunteer coordinator whose password is "volunteer2024."

But attackers do. Because nonprofits hold exactly the kind of data that sells on the dark web: donor credit card numbers, client Social Security numbers, medical and mental health records, immigration documents, financial statements, and detailed personal information on vulnerable populations.

And nonprofits typically have the weakest defenses of any organization type. Limited budgets. Small IT teams (if any). Staff focused on mission, not security. Volunteers with access to sensitive systems who received zero training.

It's an open door.

What you're actually protecting.

Let's be specific about what a Chicago nonprofit typically handles:

Donor data. Names, addresses, email, phone numbers, and credit card or bank account information from every person who's ever donated. If you use a payment processor, the card data might be tokenized. If you process donations through your own website or store card numbers in a spreadsheet (I've seen it), that's PCI-DSS territory.

Client records. If you serve individuals (social services, legal aid, healthcare, housing, workforce development), you have detailed personal information about people who are already vulnerable. Names, SSNs, income data, immigration status, health information, criminal history. A breach of this data doesn't just cost money. It can put people in danger.

Employee and volunteer data. Background checks, SSNs for tax purposes, banking information for direct deposit, emergency contacts. Standard HR data that's a goldmine for identity theft.

Financial records. Grant applications, budgets, audits, tax filings, bank statements. Enough information for a sophisticated attacker to commit wire fraud or impersonate your organization to funders.

Program data. Depending on your mission, this could include anything from student grades to health outcomes to location data for people in protective situations.

You might be a 501(c)(3) running on grants and goodwill, but the data you hold is just as sensitive as any for-profit company's. The regulations might be different, but the responsibility is the same.

The attacks that hit nonprofits.

Business email compromise targeting grant funds.

An attacker compromises (or spoofs) the email of a program officer at a foundation. They send your executive director an email: "We need updated wire instructions for your next disbursement." Your ED, who's been waiting on that grant payment, updates the information without calling to verify. $50,000 goes to a mule account.

This happens. Regularly. Foundations have started warning grantees about it because it's gotten so common.

Ransomware on shared drives.

Your case files, donor database, and financial records live on a shared drive or cloud storage. Someone on staff clicks a malicious link. Everything gets encrypted. The attackers demand $25,000 in Bitcoin to unlock it.

You don't have $25,000. You also don't have tested backups. Your last backup was three months ago and nobody knows if it works. Your clients' data is gone or held hostage.

Phishing targeting donors.

An attacker sends emails to your donor list (which they got from a breach or a public mailing list) pretending to be your organization. "Thank you for your generous donation! Please confirm your payment details." Donors click the link, enter their card information, and blame your nonprofit when the fraud shows up on their statement.

Your reputation takes a hit that no amount of fundraising can fix.

What you can do on a nonprofit budget.

I'm not going to pretend nonprofits have enterprise budgets. I know you don't. Here's what actually matters, prioritized by impact per dollar:

Free or nearly free.

1. Turn on MFA everywhere. Google Workspace, Microsoft 365, your CRM, your donor management platform, your banking. Free on almost every service. This is the single highest-impact action.

2. Google Workspace or Microsoft 365 Nonprofit. Both offer free or deeply discounted plans for registered 501(c)(3)s. These include built-in security features (phishing filters, admin controls, audit logs) that are dramatically better than running on free Gmail accounts.

3. Review who has access to what. Does every volunteer need access to the donor database? Does the intern need admin rights on your website? Probably not. Reduce access to the minimum each person needs to do their job.

4. CISA resources. The Cybersecurity and Infrastructure Security Agency has free resources specifically for high-risk communities, including nonprofits. Free vulnerability scanning, security assessments, and training materials.

Low cost, high impact.

5. Staff and volunteer training. This is where we come in. Nonprofits need training that's practical, short, and specific to the threats they actually face. Not a generic corporate security video. A 60-minute session that covers: how to spot phishing emails targeting your org, how to handle sensitive client data, what to do if you think something's wrong.

And the skills your staff learn at work protect them personally too. That matters when your staff are members of the same communities you serve.

6. Backup your data. Cloud backup for a small nonprofit's data costs $10-20/month. Set it up, automate it, and test a restore once a quarter. This is your insurance against ransomware.

7. Password manager. Bitwarden has a free plan for organizations. No excuse.

When you're ready.

8. Security assessment. Let someone who does this for a living look at your environment. We offer assessments for nonprofits at rates that reflect your budget reality. 30-minute initial conversation is always free.

9. Incident response plan. Write down what happens when something goes wrong. Who's in charge. Who calls the board. Who notifies clients. Who calls law enforcement. A one-page plan is better than no plan.

Chicago resources for nonprofits.

A few organizations doing good work in this space locally:

• i.c.stars runs tech workforce development for underserved young adults on the South Side. They're hosting the iOpener Innovation Conference in August 2026 focused on "Secure the Future" at Blue Cross Blue Shield Tower.

• CSNP (CyberSecurity NonProfit) has a Chicago chapter that runs free cybersecurity education events, workshops, and hackathons. 12,500+ members across 16 chapters globally.

• Per Scholas Chicago offers a 15-week cybersecurity training program preparing students for IT Security Administrator and Cybersecurity Analyst roles. Good pipeline for nonprofits looking to hire junior security talent.

• CISA Cyber Volunteer Resource Center connects nonprofits with cybersecurity volunteers who provide free support.

Your mission is too important to lose to a preventable breach.

You're doing work that matters. Serving communities, protecting vulnerable people, building something that makes Chicago better. The last thing you should have to deal with is explaining to your clients that their personal data was stolen because nobody set up MFA.

The security stuff isn't hard. It just needs to get done. And we're here to help you do it at a price point that works.

(773) 417-9994 or southsidechisolutions.com