The First Hour: Detection and Activation
The development director who received the suspicious email doesn't delete it. Instead, she follows protocol, forwarding it to the designated point person outlined in the Incident Response Plan (IRP): the operations manager. The IRP isn't a 100-page binder;
it's a lean document with a one-page contact sheet. The operations manager immediately makes two calls. The first is to the nonprofit’s part-time IT consultant, instructing them to investigate a potential phishing attack. The second is to the Executive Director (ED). Within 30 minutes, the core Incident Response Team—the ED, operations manager, and board chair—is on a conference call. The IRP has been officially activated. Their first job isn’t to solve the problem, but to assess it. Is this a single phishing attempt, or a sign of a wider breach? The immediate instruction is clear: determine the scope without spooking the staff.
Hours 2-8: Triage and Containment
The IT consultant confirms their fears: the development director’s email account was compromised two days ago. An attacker has had access to her inbox, which contains communications with dozens of major donors. The team’s priority shifts from detection to containment. The compromised account is locked, and all staff are instructed to reset their passwords immediately. The IT consultant begins a forensic analysis to see exactly what the attacker accessed. Was it just email, or did they pivot to the main donor database? This is the critical question. While the technical team works, the ED and board chair are in crisis management mode. They review the IRP’s communication tree. The plan dictates they notify the full board and their insurance provider. The call to the insurer is key; many nonprofits carry cyber liability insurance that provides not just financial coverage, but access to legal counsel and forensic experts who specialize in data breaches.
The Next 24 Hours: Investigation and Communication
By the next morning, the picture is clearer and worse. The forensic team confirms the attacker downloaded a spreadsheet from the shared drive containing the names, contact information, and donation histories of 500 top-tier donors. No financial data like credit card numbers was exposed, but the reputational risk is immense. Now, the IRP’s communication plan kicks in. Guided by legal counsel (provided via their insurance), the team drafts an email to the affected donors. The message is direct, transparent, and apologetic. It explains what happened, what data was involved, and what steps the organization is taking to secure its systems. It provides a dedicated email address and phone number for questions, monitored by the operations manager. The ED and board chair begin personally calling their top 20 donors before the email goes out. This personal touch is crucial for nonprofits, whose currency is trust, not transactions.
The First Week: Remediation and Recovery
While the external communication rolls out, internal remediation is in full swing. The IT consultant eradicates the attacker’s foothold, patches the vulnerability that allowed the initial access, and implements mandatory two-factor authentication (2FA) for all staff accounts—a measure that was on their to-do list but never prioritized. The focus is on rebuilding a more secure environment. The operations manager fields calls and emails from concerned donors. Most are understanding, but a few are angry. Each conversation is an exercise in calm, empathetic crisis communication. The team provides regular updates to the board and a general, less-detailed update to all staff to quell rumors. The organization is functional, but its leadership is consumed by the response. Normal fundraising and program work takes a backseat to rebuilding trust and securing the digital infrastructure.
The First Month: The Post-Mortem
The crisis phase is over. No more angry calls are coming in, and the systems are stable. Now, the most important part of the IRP begins: the post-incident review. The core team, IT consultant, and legal counsel meet to dissect the entire event. What worked? The quick activation of the plan and the personal calls to donors. What failed? The lack of mandatory 2FA and insufficient staff training on phishing. The result of this meeting is a revised IRP. It includes a lower threshold for activation, a budget for quarterly cybersecurity training, and a non-negotiable policy for 2FA. The incident was costly and stressful, but it forced the organization to mature. It transformed security from an IT problem into an organizational priority.
