Password Playbook

for Nonprofit
Organizations
How to create, manage, and share
passwords easily and securely
 Table of contents

1
Threats and vulnerabilities
By helping those at risk and improving their quality of life, nonprofit
organizations and NGOs are doing important work to enrich
2
Productivity challenges
communities worldwide. Whether you’re promoting animal welfare,
delivering emergency services, or supporting the arts, you rely on
3
Real-world examples
members, donors, and volunteers. These supporters—as well as your
beneficiaries—expect you to keep their private information safe.

4
Checklist: common accounts

Safeguarding this sensitive data is a growing challenge. The rise of

5
Getting started with a digital transformation and remote work have created new
cybersecurity risks. Yet nonprofits and NGOs strive to keep low
password manager
overhead ratios and run lean operations, leaving them with limited IT
budgets to address these risks.

6 Next steps
One of the most common ways for cyberattackers to get a foothold
into your organization is through compromised employee accounts.
A password manager is a simple and inexpensive tool that greatly
reduces your risk of a breach.

In this playbook, we show you how your nonprofit

can manage passwords to secure staff accounts—
safeguarding donor and beneficiary data while
protecting brand reputation—and improve
productivity at the same time.
 1 | Threats and vulnerabilities

Digital tools enable nonprofits to streamline

functions such as service delivery, fundraising,
and donor relationships. For example, 64% of
NGOs globally report accepting donations on
their website and 40% use customer relationship
management (CRM) apps to track donations
and communicate with supporters.1

These digital tools bring new cybersecurity risks as employees and volunteers
access sensitive data from a growing number of accounts, apps, and devices.
But for many nonprofits, allocating time and funds to cybersecurity is a
challenge when they’re focused on mission-driven objectives.

Unfortunately, cybercriminals know that nonprofits and NGOs have limited

resources for safeguarding their data—and they view these organizations as
The growing costs of data
easy targets.
breaches

The public sector, which includes NGOs

Between mid-2019 and mid-2021, for example, NGOs were one of the top two
and government agencies, saw a 78.7%
sectors most commonly targeted by nation-states, according to Microsoft
increase in the cost of data breaches in
research.2, 3 The reason, researchers noted, was that bad actors looking for
2020, from $1.08 million to $1.93 million
insights into international affairs or public policy were more likely to target
per breach, on average.

nonprofits, advocacy groups, and similar organizations working with

governments rather than attacking the government agencies directly.
Nonprofit Tech for Good, “Global NGO Technology Report,” 201 Source: IBM Security, “Cost of a Data Breach Report,” 2021

Microsoft, “Microsoft Digital Defense Report,” September 202

Microsoft, “Microsoft Digital Defense Report,” October 2021
 1 | Threats and vulnerabilities (con.)

Common threats that the nonprofit sector

experiences include:

Ransomware: Nearly a third of surveyed managed security service providers globally

said nonprofits were the most susceptible to ransomware among their customer base.

Out of 17 sectors total, the nonprofit sector was in the 8th spot based on the impact of

ransomware.1

Social engineering and phishing-related attacks: Attackers commonly use social

engineering and phishing to steal credentials, deploy malware, and gain initial entry into

an organization. Across all sectors, social engineering remains the top culprit behind

data breaches for businesses of all sizes, and phishing is the top type of action involved.

Compromised accounts: In 2020, the number of compromised accounts among

nonprofit organizations increased 113% over 2019.3 These compromised usernames and

passwords typically become available on the dark web, leading to further cyberattacks.

Datto, “Datto’s Global State of the Channel Ransomware Report,” 2020

Verizon, “2021 Data Breach Investigations Report,” May 202

CommunityIT, “2021 Nonprofit Cybersecurity Incident Report,” February 2021

 1 | Threats and vulnerabilities (con.)

How vulnerable are nonprofit organizations?

The number of cybersecurity incidents among nonprofit organizations has been on the rise,
nearly tripling between 2018 and 2020. The biggest threats have come from sophisticated email
attacks and targeted password attacks.1

Threat actors are most commonly motivated by financial gains as nonprofit organizations have
valuable data about their donors and other stakeholders. Logins are also one of the most

55%
sought-after types of data, and 61% of data breaches across all sectors involve compromised
credentials.2

Consequences from a data breach can be dire and include not only financial losses but also loss
of reputation and support. Take the 2020 large-scale ransomware attack on cloud software
provider Blackbaud as an example. The attack exposed sensitive data for Blackbaud’s customers
—primarily nonprofits—affecting more than 500 organizations and 13 million consumers.3 While
the organizations themselves weren’t responsible for the data breach, many reported millions of
dollars in costs as a result, as well as loss of donors.4

Food for thought

As you adopt new technologies, your employees, volunteers, and board members are interacting
Only 55% of surveyed nonprofit
with stakeholder data through an even larger number of touchpoints and applications. This gives
organizations report having a
cybercriminals additional opportunities to compromise your logins and corporate accounts.

policy for cybersecurity risk,

A password manager helps you address the growing risks of the new digital ecosystem. This is equipment usage, and data
important now more than ever, as the threats against the nonprofit sector escalate and your privacy—and only 20% have a
stakeholders entrust that you’re keeping their sensitive data secure.
documented policy and procedures
for cyberattack response.

CommunityIT, “2021 Nonprofit Cybersecurity Incident Report,” February 202

Verizon, “2021 Data Breach Investigations Report,” May 202

Identity Theft Resource Center, “Blackbaud Data Breach Leaves Lasting Impact on U.S. and International Nonprofits,” Source: NTEN, “State of Nonprofit Cybersecurity,”
August 202 November 2018

VTDigger, “Breach at huge donor database firm hits home for Vermont nonprofits,” July 2020
 2 | Productivity challenges

Storing passwords outside of a password manager is not only

risky but can be incredibly ineffective. Many admins resort to
spreadsheets to keep track of logins. But the manual process
of managing even a small team’s credentials quickly becomes
cumbersome and time-consuming.

Just consider some of the logistics

Are passwords impacting your
Onboarding and offboarding employees, volunteers, and board member productivity? You’re not alone.

Tracking down passwords for shared account

Resetting passwords manually when someone forgets their logi In a 2021 survey of 1,000 employees,
Getting the two-factor authentication (2FA) code if someone is out of offic Dashlane found that:
Recovering 2FA rights for an account managed by a former employee or volunteer

35% of respondents feel

When you add in multiple accounts and cloud-based services and applications, the time overwhelmed by keeping track of all
spent on these administrative tasks quickly adds up. Likewise, for individuals, keeping their account information and logins
track of passwords and spending time entering credentials whenever they need to access
an account can also be challenging.

18% feel they’re wasting a lot of time

trying to get into online accounts
These administrative burdens are why many resort to shortcuts like recycling passwords 49% create their own tricks and
or storing passwords in web browsers. Such practices compromise the security of your shortcuts for managing logins
accounts and data because cybercriminals can easily find stolen logins on the dark web
69% retrieve or reset their passwords
and use them to try to hack into other accounts.

at least monthly

Your paid and volunteer teams wear many hats. Tools that add to their workload hinder
their productivity. This is where a password manager comes in—saving everyone both
Source: Dashlane, “The Future of Security in the Hybrid
time and frustration.
Workforce,” 2021
 3 | Real-world examples

Compromised credentials are commonly involved at different stages of attacks that target the nonprofit sector. For
example, cybercriminals may start a campaign with phishing emails to steal passwords for initial entry or compromise
credentials at a later stage of the attack to escalate privileges. Compromised logins are also often the first step in a
ransomware attack.

Often, bad actors don’t have to go to great lengths to gain entry. They can easily obtain passwords that were leaked
in an unrelated attack and then attempt to use them on other systems. It’s not surprising that this tactic works,
considering that 63% of employees say they have recycled passwords on work accounts and devices.1

Consider the following three examples and what it would mean for your organization to experience something similar.

Hacked email results in $650K loss

One Treasure Island, a San Francisco nonprofit working with

low-income families, lost $650,000 after threat actors
hacked into the email of its bookkeeping service provider in
December 2020. The hackers then hijacked existing email
threads to impersonate the nonprofit’s employees and
redirected payments for legitimate invoices to their own
accounts. One Treasure Island didn’t discover the fraud until
Listen in to this conversation and
the following month, when its partner inquired about a
missed payment.2
Q&A with white hat hacker Rachel
Tobac on demystifying the
Visual Objects, Worker cybersecurity survey, November 202
fundamentals of cybersecurity for
The Wall Street Journal, “Hackers Stole $650,000 From Nonprofit and Got Away, you and your business.
Showing Limits to Law Enforcement’s Reach,” June 2021
 3 | Real-world examples (con.)

Phishing scam leads to fraudulent wire transfers

Compromised email leads to data breach

Philabundance Community Kitchen suffered a similar incident
in July 2020. Cyberattackers used phishing to hack into the
Philadelphia-based hunger-relief organization’s email, blocked
legitimate emails from being received, and spoofed employees’
emails. They then requested that a nearly $1 million
construction bill payment be wired to their fraudulent account.
The nonprofit later had to dip into its reserves to pay the
builder’s invoice.1
People Inc., a New York human-services agency, suffered a
data breach that exposed sensitive personal, financial, and
medical information for about 1,000 clients in 2019. Hackers
compromised one or more employee accounts containing
the data. A media report suggested that the first account
may have been hacked through a brute-force attack that
used a weak password. The report made the conclusion

based on the organization’s statement that resetting the

passwords secured the account.2

Want to learn more about steps

you and your team can take to
prevent data breaches and hacks?
Download “A Business Guide to
The Philadelphia Inquirer, “Philly hunger relief group Philabundance lost nearly $1 million in
Data Breaches and Hacks.” cyberattack,” December 202
ZDNet, “One of New York’s largest nonprofits suffers data breach,” May 2019
 4 | Checklist: common accounts

Now that you understand what risks nonprofits and NGOs

face, let’s get started securing important accounts (and
ensuring you’re safeguarding sensitive constituent data).

First, take a look at the accounts your team needs.

The more accounts, the higher your security risk if you’re not using

password management best practices. Shared logins, reused credentials,

failure to change passwords regularly, and the lack of 2FA are among the

factors that increase your security risks.

Here are some common accounts used by nonprofit organizations:

Asan Instagra

Bloomeran Microsoft Team

BoardSourc Salesforc

Boardabl Shopif

DonorPerfec Slac

EventBrit TechSou

Faceboo Twitte

Funrais VolunteerMatc

G Suit Zoom

Idealist

 4 | Checklist: common accounts (con.)

Use the checklist below as a starting point to

understand your logins ecosystem.

Is this password
Is this login How is it
Account Owner? Is 2FA set up? used for other
shared? shared?
accounts?

Asana Otto Loggins Yes Spreadsheet No Yes

Now that you have an understanding of your most important

accounts (and how those are being shared), head to the next
section for how to secure them.

 5 | Getting started with a password manager

Your team has a heavy workload while maintaining

lean operations. You need tools that are simple and
convenient—and don’t get in the way of staff
Contacts

workflows.
Sharing Center Emergency

Pending sharing requests

Zoom.us
william.jackson@funraise.org

Decline Accept
Building access codes
Dashlane makes password management easy by: ann.thompson@funraise.org

Filling in all your passwords across the web, on any devic Decline Accept
Saving logins as employees browse the interne Groups
Autofilling usernames, passwords, and 2FA codes on every accoun Nurses
Enabling secure sharing of passwords and 2FA codes (e.g., for shared 4 items shared

social accounts or for onboarding purposes)

Individuals
manisha.hukku@funraise.org
2 items shared

eric.zhang@funraise.org
And you can rest assured your data is always secure. We use the strongest 3 items shared

encryption available and zero-knowledge security architecture, so the info

stored in each account is only accessible to the individual user. Plus, two-factor
authentication is built right in. Home Vault Contacts Tools Settings

Haven’t started using Dashlane yet?

Sign up for a free trial today.
 5 | Getting started with a password manager (con.)

Here’s how to get started.

Onboarding (and offboarding) made easy

Set up groups

Complicated rollout and onboarding processes can hinder The Group Sharing feature allows Dashlane users to easily

adoption of tools like password managers. Dashlane supports and efficiently share passwords and Secure Notes, making

single sign-on (SSO) so admins can simplify onboarding—and onboarding simple and secure. Admins can create groups

we offer video tutorials, guides, and templates to help you based on departments or company needs in the Admin

with successful adoption and onboarding.

Console. Once created, both admins and individual users

can share information with these groups through the app.

With Dashlane, say hello to secure sharing and goodbye to

Slacking or emailing passwords.

Want to see how easy it is to get started?

Check out our onboarding video series.
 6 | Next steps

Now that you’ve got the basics down, let’s talk about what’s
next and some of Dashlane’s more advanced features.

Set up Dark Web Monitoring

Monitor and measure
Build a culture of security

Dashlane monitors the dark web for
compromised credentials. When
Dashlane finds an employee’s username
and password on the dark web, those
credentials are immediately flagged in
the app. The app prompts the employee
to change the password—and provides
a password generator for creating a
strong, random password. Employees
Every user gets a Password Health Score
that shows a breakdown of weak, reused,
or compromised passwords. In the Admin
Console, you’ll be able to access your
reporting dashboard. The dashboard’s
centralized view gives you unprecedented
visibility into your company’s password
security and the ability to track
improvements over time. There, you’ll
Safeguarding sensitive data is not
simply about the tools and processes
you use—it starts with your employees,
volunteers, and board members.
Dashlane enables admins to make all
these stakeholders part of the security
conversation and educate them about
their active role in protecting your
organization—and its reputation.

can add up to five email addresses to receive actionable insights on your

With Dashlane, admins can:
be monitored.

employees’ Password Health Scores and

With these tools and tactics
at your disposal, you can
make your team more secure
be able to help at-risk employees update Track the overall company Password
their weak, reused, or compromised Health over tim
passwords. As more employees update Benchmark security scores and
their passwords, you can track score measure progres
improvement over time.

Identify risky employees and engage

—and productive—in no time.
them in discussions about safe
password practices

 6 | Next steps

How VillageReach eliminated hundreds of reused passwords

As a global nonprofit delivering life-saving care to low-income countries, VillageReach keeps

a sharp focus on its mission. While the organization recognized the need to boost password
security, it didn’t have the resources for time-consuming password management.

The nonprofit chose Dashlane because it simplified secure password management for both
staff and admins and offered additional security features. Thanks to Dashlane, VillageReach
has discovered and eliminated hundreds of reused passwords across the organization, along
with unauthorized users—improving password health by 122%.

“We’re excited about all of the benefits Dashlane offers.

Our security posture has significantly improved and we
can more readily focus on our mission.”

Ben Leibert

VillageReach Technical Manager

Learn how VillageReach solved password

security challenges for its global workforce.
See how Dashlane can help your
nonprofit organization.

Reach out or start a trial today.

Your teams are committed to making a difference in the lives of

people and communities they serve. Their priorities are building
relationships with donors and enriching the lives of others—not
cybersecurity threats. Security tools like password managers are
essential in maintaining the privacy of your constituents’ data.
Empower your employees, volunteers, and board members to
focus on advancing your mission—instead of worrying about
which password they used where.

Follow us on: