Strong passwords are one of the simplest and most effective ways to protect your organization, but most people reuse the same few passwords everywhere. That means, if a single account is compromised, an attacker can often get into many other systems. It's like having a skeleton key to your most critical data.
A password manager solves this problem by securely storing all of your passwords in one encrypted “vault,” so your team only needs to remember one strong master password instead of dozens of complex ones. The manager can also generate long, unique passwords for each account, which dramatically reduces the risk of a successful attack.
For a small business or nonprofit, start by choosing a reputable password manager that offers business or team plans, so you can onboard staff easily and control access when people join or leave. Roll it out in phases: begin with leadership and anyone who has access to financial accounts, email admin accounts, or donor and customer data. Provide a short, simple guide or quick training session to show staff how to log in, store their passwords, and use handy tools such as browser extensions. Make it a standard practice that no new account is created without being added to the password manager first.
| Password Manager | Website | Thoughts |
| NordPass | https://nordpass.com | Also has data breach scanning and email masking. |
| 1Password | https://1password.com/ | Generate & store passwords and passkeys, as well as other sensitive information |
| ProtonPass | https://proton.me/pass | Generous free tier and open source. |
| Dashlane | Highly trusted manager by enterprise clients. |
Backups are your safety net when something goes wrong. Whether that’s a ransomware attack, accidental deletion, hardware failure, or natural disaster. If your critical files are backed up securely and regularly, you can restore your data and get back to work with minimal disruption. Without backups, your organization may be forced into costly downtime or, in the worst case, may permanently sensitive information.
For immediate impact, identify your “must-have” data: accounting records, donor or customer lists, key contracts, HR files, and any operational documents you rely on daily. Then set up at least two backup locations: one in the cloud (such as a reputable cloud storage or backup service) and one offline or separate from your main network (like an external hard drive that’s only connected during backups).
Automate backups where possible; many tools can run daily or weekly without staff intervention. Finally, test your backup by actually restoring a file or folder so you know the process works before an emergency.
| Backup Service | Website | Thoughts |
| Backblaze | https://www.backblaze.com/ | Best for backing up data with automated rules. Alternate to Amazon Cloud. |
| Sync | https://www.sync.com/en/ | Great for teams and long-term backups using their Vault service. |
| GoogleWorkspace (Drive) | https://workspace.google.com/products/drive/ | Free plan is generous in space and is great for collaboration. |
| Microsoft OneDrive/office | https://www.microsoft.com/en-us/microsoft-365/onedrive/onedrive-plans-and-pricing | One of the first cloud services, Microsoft and Office have integrated into a fantastic, secure suit. |
Out-of-date software is one of the easiest ways for attackers to get into your systems. When vendors discover security flaws, they release updates (often called “patches”) to fix them. If your systems aren’t updated, you’re running with known holes that cybercriminals actively scan for and exploit. Keeping your devices and applications up to date is a low-cost, high-impact way to close many common attack paths.
Start by enabling automatic updates on operating systems (Windows, macOS, mobile devices) and common software such as web browsers, office suites, and antivirus tools. For specialized software, assign someone the responsibility to check for updates at least monthly, and keep a simple checklist of what needs to be updated and when.
Schedule updates during low-activity times to minimize disruption, and make sure staff know not to ignore update prompts. Over time, build updating into your normal IT routine so it becomes a habit instead of a one-time cleanup. Sometimes patches can create incompatibilities between software or glitches in your operating system. If you find this to be the case, you may consider using a "sandbox" environment, which is an isolated system that can run the patches before exposing the rest of the system to test for errors.
Cybersecurity changes quickly, but you don’t need to be an expert to stay informed. Subscribing to a few well-chosen cybersecurity newsletters gives you regular, plain-language updates about new scams, major vulnerabilities, and practical tips that matter to organizations like yours. This helps you spot threats early, so you can warn your team and adjust your defenses.
Look for free newsletters from trusted sources such as national cybersecurity agencies, nonprofit security organizations, or well-known security companies that focus on small organizations. Choose 1–3 that publish summaries, and avoid heavy technical reports. Assign one person, perhaps your de facto “security champion”, to read these and share short, actionable notes with your team once a month. You might add a quick “security tip of the month” to staff meetings or internal emails, using the newsletter content as a guide.
Even basic written policies can dramatically improve your security posture by setting clear expectations for everyone in your organization. Policies don’t have to be long or complicated; they just need to clearly explain what is allowed, what is required, and who to ask if there’s a question. For many small businesses and nonprofits, a simple set of acceptable use policies, information security standards, and incident response procedures can reduce risk from the most common threats.
Acceptable use policies are standards that cover how staff should use email, the internet, and organization-owned devices (for example, not installing unauthorized software, not sharing accounts, and avoiding personal use that creates risk). These policies should spell out what is and isn’t acceptable in everyday situations, such as using work devices on public Wi‑Fi, downloading files from unknown websites, plugging in USB drives, or forwarding work documents to personal email. They also clarify what employees can expect in terms of monitoring (for instance, that network traffic or device activity may be logged for security purposes) and what consequences may follow if the rules are ignored.
Add an information security standard to bolster your stance. This can be as simple as a clear, written set of rules your organization agrees to follow to protect its data, systems, and people. It doesn’t have to be a complex, enterprise-level framework; for a small business or nonprofit, it can be a short document that outlines basic expectations like how data should be stored, who can access what, how long records are kept, and how devices are secured. Adopting a standard matters because it turns good intentions into consistent, repeatable behavior, so you aren’t relying on each person’s judgment at the moment. To get started, you can borrow from lightweight, well-known frameworks tailored to small organizations or adapt sample policies from trusted sources, then customize them to match your size, tools, and risk. This is something we specialize in at Fall River Data Security Solutions, so reach out to us if this is something you'd like consulting for!
Finally, document a simple incident response procedure. These guidelines can be used for a variety of scenarios, from ransomware to natural disasters, and should be written in clear, non-technical language so anyone on your team can follow them under stress. At a minimum, outline who is in charge during an incident, who needs to be notified (internally and externally), and what steps must be taken to strategically respond. Your procedure should walk staff through three basic phases: how to identify a potential incident (for example, unusual system behavior, ransom notes, or signs of physical damage), how to respond in the moment (such as isolating affected devices, preserving evidence, and escalating to the right people), and how to recover and return to normal operations (restoring from backups, resetting passwords, and reviewing what happened).
Distribute these policies, discuss them briefly in a team meeting, and have staff acknowledge they’ve read them. You can refine and expand the policies later, but having something in place now is a powerful first step.
Wow! That is a lot of information to take in. We know that this is overwhelming and want to help out, so we've made it easy for you. We've turned this blog post into a field guide you can easily follow. Download it here:
And that's it! There's no obligation to follow through. We just want to get you started in this complicated journey. Just know that we're always here if you need us.