A few months back, our CEO Dylan Natter was talking with the executive director of a mid-sized nonprofit here in California. A solid organization, respected in the community, serious about its mission. The kind of place where everyone wears three hats and nobody has a spare hour.
She asked him a question that has stuck with the whole team ever since: “How would I even know if a former volunteer still had access to our donor database?”
The honest answer was: she probably wouldn’t. Not until something went wrong.
That conversation is the reason we are writing this post. Because the question she asked is not unique to her organization — it is true of nearly every nonprofit we talk to.
The revolving door nobody talks about
Nonprofits run on a model that would horrify a corporate security team. Volunteers cycle through quarterly. Board members serve two-year terms and use personal Gmail accounts to access shared drives. Seasonal staff show up for the gala, get added to the CRM, and disappear in November. Interns rotate every semester.
Each one of those people, at some point, needed access to something. Donor records. The financial dashboard. The shared inbox where grant communications land. The Google Drive folder with strategic plans and board minutes. Maybe even the bank’s online portal, depending on who was helping with bookkeeping that month.
And here is the thing — granting that access is fast. A board member emails the ED on a Tuesday: “Can you add me to the QuickBooks file?” Done by Wednesday. Seasonal events coordinator needs the donor list in October? Shared link, view access, no expiration.
Revoking that access? That is the work that does not happen.
Why offboarding falls through the cracks
This is not a story about negligence. It is a story about how nonprofits are structured.
When a paid employee leaves a 500-person company, there is an HR system, an IT ticket, a checklist, and probably an automated workflow that disables accounts the moment the termination is logged. When a volunteer rolls off a nonprofit, there is a thank-you note and a hug at the holiday party.
Nobody is keeping a master list of every shared password they were ever told. Nobody is auditing whether they are still in the Microsoft 365 tenant. Nobody is checking whether they bookmarked the donor portal and the link still works because the password has not been changed since 2022.
The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element — credentials misused, accounts left active, mistakes that compounded. According to research published by Microsoft Security in 2024, compromised identities are now the leading initial access vector across all industries. The technology is not usually the failure point. The process around the technology is.
What this actually costs a nonprofit
Let’s be specific about the risk, because abstract “cybersecurity” warnings do not help anyone prioritize.
If a former volunteer’s personal email gets compromised — and that email was the login for your donor management system — an attacker now has a list of your major donors, their giving history, and likely their contact information. That data sells on dark web marketplaces. Worse, it gets used for targeted phishing against the donors themselves, who then associate that breach with your organization.
If a former board member’s credentials are still active in your accounting system, and their personal device gets infected with infostealer malware, your financial records are exposed. According to a 2024 report from the Nonprofit Technology Enterprise Network (NTEN), nonprofits experiencing data breaches report an average direct cost of $40,000 to $100,000, with reputational damage often costing more in lost donations over the following 18 months.
And the regulatory piece matters too. States like California (CCPA), New York (SHIELD Act), and others have data protection requirements that apply to nonprofits handling donor information. “We’re a small nonprofit” is not a defense.
What a lightweight approach looks like
The good news: you do not need an enterprise identity management platform to fix this. You need a process and a few tools you probably already have.
Here is what we told that executive director, and what we would recommend to any resource-constrained nonprofit reading this.
1. Build a single access inventory — once.
Open a spreadsheet. List every system the organization uses: the donor CRM, accounting software, Google Workspace or Microsoft 365, the website CMS, the email marketing platform, the bank portal, the shared cloud storage. For each one, list every person who currently has access and what level. This is painful the first time. It takes maybe four hours. You only have to do it once if you maintain it.
2. Add the spreadsheet to your offboarding checklist.
When someone leaves — paid, volunteer, board, intern, contractor — that spreadsheet gets reviewed and access gets removed within seven days. Put it on the operations manager’s calendar as a recurring task. Make it part of the exit conversation: “We’re going to remove your access to X, Y, and Z by Friday.” That framing protects the relationship and creates accountability.
3. Stop sharing passwords. Start using identity providers.
If you are on Microsoft 365 or Google Workspace, you already have an identity provider. Use it. Every system that supports single sign-on (and most modern nonprofit tools do) should be connected to it. When you disable the person’s Microsoft or Google account, you disable their access to everything at once. No more chasing down shared logins.
4. Require multi-factor authentication on everything.
This is the single highest-leverage control available. Microsoft has published research showing MFA blocks more than 99% of automated account compromise attempts. If a former volunteer’s credentials leak, MFA is the difference between a near-miss and a breach.
5. Audit quarterly. Not annually.
Four times a year, pull the access inventory and confirm everyone on it should still be there. Twenty minutes per quarter. You will find someone who should not be there. You always do.
The conversation we want nonprofits to have
The organizations we respect most in this sector are the ones that take their data stewardship as seriously as they take their mission. Donors trust them with personal information. Beneficiaries trust them with sensitive details. Funders trust them with reporting accuracy.
That trust does not survive a breach traced back to a volunteer who left in 2022.
None of this requires a six-figure technology investment. It requires a half-day of inventory work, a recurring calendar reminder, and a commitment to treat offboarding with the same care as onboarding. The tools are already in your stack. The process is the gap.
If you are an executive director reading this and thinking “I have no idea where to start” — start with the spreadsheet. List the systems. List the people. See what surprises you. The first audit is always the hardest one, and it is also the most valuable.
Common Questions
How quickly should we revoke access when someone leaves?
Within seven days for routine departures. Same day for any departure involving conflict, termination, or concern. The longer credentials remain active after someone leaves, the larger the window for compromise — either by the person themselves or by an attacker who gains access to their personal accounts later.
Do we need to do this for short-term volunteers who only helped at one event?
Yes, if you granted them system access. The duration of someone’s involvement does not change the risk of their credentials. A one-time volunteer who got temporary access to the donor CRM for an event is still a risk if that access was never removed.
What about board members who use personal email accounts?
This is one of the most common gaps in nonprofit security. Personal email accounts should not be the access method for sensitive systems. Either issue them an organizational account (most identity providers offer guest accounts at minimal cost) or use single sign-on with strong MFA. The convenience of “just send it to my Gmail” creates ongoing risk.
We share passwords because we can’t afford enough licenses. Is that really a problem?
Yes, and it is a bigger problem than most leaders realize. Shared credentials make it impossible to audit who did what, eliminate the ability to revoke access for one person without disrupting everyone, and almost always end up shared more broadly than intended. Most nonprofit software vendors offer discounted or free licenses for additional users — TechSoup is a good starting point.
What if we discover former volunteers still have access during our first audit?
Revoke immediately. Don’t make it dramatic — just remove access and change shared passwords. If the access involved highly sensitive data (financial systems, donor PII, beneficiary records), document what was accessible and when access was last used. Most modern platforms have audit logs that can tell you whether anything unusual happened. If something looks off, that is the time to bring in help.
centrexIT has been the IT team nonprofit organizations across the West have trusted since 2002. If you have read this and realized you do not actually know who has access to your systems, that is the first finding of your first audit — and it is worth doing the rest.
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
Sources
- 68% of breaches involved a non-malicious human element: Verizon, “2024 Data Breach Investigations Report” (2024), https://www.verizon.com/business/resources/reports/dbir/
- Compromised identities are the leading initial access vector: Microsoft Security, “Microsoft Digital Defense Report 2024” (2024), https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2024
- Nonprofit breach cost ranges: NTEN, “State of Nonprofit Cybersecurity 2024” (2024), https://www.nten.org/resources/
- MFA blocks more than 99% of automated account compromise attempts: Microsoft Security, “Your Pa$$word doesn’t matter” research (2023), https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984
The centrexIT team brings decades of combined IT expertise, helping San Diego businesses thrive with secure, reliable technology solutions.
Meet Our Team