Start In Five Minutes: Website Security Conversations That Protect Your Nonprofit’s Reputation
A website isn't just a digital brochure – it's often your organization's most visible asset and, unfortunately, a prime target for cyber criminals. Every day, attackers scan thousands of websites looking for vulnerabilities they can exploit to steal donor information, target at-risk communities, deface the site, or even use your org’s trusted domain to distribute malware to your supporters.
The good news? You don't need to become a cyber security expert to protect your organization. You just need to ask the right questions of the people who maintain the website.
Why Your Nonprofit’s Website Needs Regular Security Check-Ins
Website compromises happen more often than you might think, and the consequences can be devastating:
Reputation damage that takes years to rebuild
Donor and staff information exposure leading to identity theft and lost trust
Constituent information exposure putting the communities your organizations serves at risk
The site being used as a malware distribution point, putting supporters at risk
Search engine penalties that tank online visibility
Costly recovery efforts that drain resources from the mission
Many organizations set up their website and don’t have the information, expertise, or resources to secure it. Plugins need updates, old admin accounts pile up, and vulnerabilities can loom undetected. It's like leaving your front door unlocked by accident.
Getting Started With Website Security: Quarterly Conversations
We recommend having a brief conversation with whoever maintains the website once every quarter. That's it. Four times a year, send a quick email with some focused questions.
Whether you have someone on staff managing the site or you work with an external web developer, these conversations will help you understand how the digital front door is protected and identify any gaps before they become problems.
What to Ask (And When)
If this is your first security conversation, start with these foundational questions:
How is the website protected against cyber attacks?
Does anyone from your team monitor the website for security vulnerabilities?
How do you know if the website is experiencing an attack?
Do you have an incident response plan in place if the website experiences a security incident?
For follow-up conversations, focus on these maintenance items:
Have there been any changes since our last discussion about the website's security?
When do the domain and SSL certificates expire?
Is the content management system up-to-date?
Are the site's plugins fully up-to-date?
Who no longer needs administrative access to the website?
How to Interpret the Responses
Good signs to look for:
Specific mentions of security tools, monitoring services, and update schedules
Clear processes for handling security incidents
Regular maintenance windows for updates
Proper access management practices
Red flags that need follow-up:
Vague answers like "we handle that" without specifics
No monitoring or incident response plan
Outdated software or irregular update schedules
Uncertainty about who has admin access
Ready to Start the Conversation?
We’ve made this as easy as possible. Subscribe to this calendar (no registration required) to get quarterly reminders to have this conversation.
Once a reminder comes around, use the email templates below. We’ve written two versions, so choose the one that most closely matches who is responsible for maintaining your website. These templates are designed to help you kick off your first discussion. Feel free to adapt them as you follow up on website security in subsequent quarters.
Email Template: For Organizations with Internal Website Management
Subject: Quick Check-In: [Organization name’s] Website Security
Hi [Name],
Hope you're doing well. I wanted to touch base about our website security since it's such an important part of our online presence and donor trust.
Could you help me understand a few things about how our site is currently protected?
How is our website protected against cyber attacks?
Does anyone on our team actively monitor the site for security vulnerabilities?
How would we know if our site was experiencing an attack?
Do we have an incident response plan if our website faces a security issue?
Your insight would really help me understand our current security posture. Thanks for all you do to keep our digital presence running smoothly!
Best,
[Your name]
Email Template: For Organizations Using External Website Support
Subject: Quarterly Security Check-In for [Organization Name] Website
Hi [Name/Team],
I hope you're doing well. As part of our regular organizational security review, I wanted to check in about our website security measures.
Could you provide a brief update on the following?
How is our website currently protected against cyber attacks?
Does your team monitor our site for security vulnerabilities?
How would we be notified if our site was experiencing an attack?
Do you have an incident response plan in place for website security issues?
I appreciate the ongoing work you do to maintain the site. Understanding these security measures helps us ensure we are good stewards of our supporters' trust and data.
Please let me know if you need any additional information from our end.
Best regards,
[Your name]
Make This a Habit
The key to website security isn't perfection – it's consistency. Set a quarterly reminder in your calendar right now to send one of these emails. Your future self (and your donors) will thank you.
Remember, asking the right questions now starts the conversation and makes sure someone knowledgeable is paying attention to your website's security. This is a simple step forward in protecting your organization’s data and mission.
Ready to send that email?
Take five minutes now to save you months of headaches down the road.
