Cybersecurity Within Nonprofits

There is a lot of fear around cyberattacks in nonprofit organizations. You want to protect your valuable information, maintain your funding and continue to provide resources and services.

The unfortunate truth is the impact of a cybersecurity incident could make this unsustainable. Consider that a majority of small businesses that experience a cyberattack do not recover. Rather, they’re out of business within six months, according to the US National Cyber Security Alliance.

What does this mean for nonprofits?

To begin to answer this question, let’s take the example of the Save the Children Foundation. In 2018, the foundation lost $1 million to a scam conducted via email, known as a phishing scam. Fortunately, this organization was able to recover most of those funds due to their insurance. How would your organization fair should you experience such a scam? What is your threshold for recovery in terms of dollars lost?

As much as there is fear, there is also hope – if you take the right preventative measures and plan your response should an attack occur. Here, we’ll cover the basics of cybersecurity for nonprofits and how to launch or enhance a successful cybersecurity program at your organization.

Cybersecurity Basics for Nonprofits

Cybersecurity is not a simple concept, and it continues to evolve as we change our relationships with technology, as technology itself evolves and as cybercriminals develop new tactics for infiltrating systems. Yet nonprofit leaders, staff and volunteers are primarily focused on their organization’s mission – funding, organizing, executing and reporting. Being cybersecurity experts simply isn’t part of the general mission description and is relegated to IT – which could be one individual on staff or an outsourced service.

It’s not enough to have your IT person on the case. Nonprofits are witnessing a massive shift toward digital-first services and communications. More personal and financial information is being stored digitally as opposed to in wall-to-wall filing cabinets. Practically any member of your team could hand off the digital “key” to a cybercriminal unwittingly.

Cybersecurity is everyone’s responsibility at a nonprofit organization because everyone has access to the network, even with varying levels of access security in place. All executives, board members, staff and volunteers should understand the basics and adopt a culture of cybersecurity.

Here are a few basics to get started:

What is cybersecurity? It is the protection of your IT systems, networks and data from any malicious intent.

What is a cyberattack? It is a malicious attempt to gain unauthorized access to information systems to corrupt or steal the data. Common cyberattack types include ransomware, phishing, denial of service and “man in the middle.”

Why would a cybercriminal target a nonprofit? Cybercriminals don’t give immunity to an organization because it is cause-based and provides a useful or essential service or benefit. If the opportunity is there, they will exploit your organization for a return. Many nonprofits aren’t well defended or up to date on security, so they present as attractive “low hanging fruit.” They’ll likely take less time and effort and result in a quicker payout than a large corporation. Cybercriminals will target nonprofits with valuable data or services they can hold for ransom at consequence or outright steal. It’s not just about the non-profit but about the stakeholders the nonprofit is connected to.

What attack types are common for nonprofits? Nonprofit organizations often endure ransomware attacks or fall victim to social engineering plots, such as email phishing scams. In ransomware attacks, cybercriminals identify the most valuable data or function at your organization and compromise it until you pay a specific amount, often within a set timeframe. With social engineering, cybercriminals use deceptive tactics over email, and even phone and text messages, to gain access to your systems and compromise them.

What do cybercriminals want that nonprofits have? Primarily, cybercriminals are looking for financial gain. They don’t necessarily want what nonprofits have – but they can exploit it for money. Nonprofits tend to store personal, financial or other sensitive information about donors and clients. Additionally, many nonprofits are associated with a secondary organization, such as a healthcare or government organization, with data, services and vulnerabilities of its own. If a cybercriminal can compromise any of these, they will have significant leverage.

What are the impacts of a cyber incident on a nonprofit? There are five common impacts to organizations following a security breach or incident.

1. Exposed confidential or sensitive information.
2. Inaccessible organization, donor or client data.
3. Organization’s service delivery and continuity is impacted, leading to potential reputational damage and loss of support and confidence. Consider that donors might choose to fund – or not fund – organizations with cybersecurity concerns in mind.
4. Strain on internal resources and management due to inaccessibility and recovery work.
5. Unplanned costs due to compromised environment, such as legal costs, regulatory fines and identity protection.

How should nonprofits budget for cybersecurity? Formerly, cybersecurity initiatives took only three to five percent of the IT budget. Today, a good cybersecurity strategy should take 10 to 15 percent – 20 percent in some cases. It may sound like a lot but consider that the global average cost of a data breach in 2021 was $4.24 million. In the United States, the average cost is higher: $9.05 million. Of course, these averages include costs from large enterprises. Globally, organizations with less than 500 employees averaged $2.98 million per breach.

Curious to learn more and create a culture of security at your organization? Listen to Michael Nouguier’s episode on cybersecurity trends on our podcast, EB & Flow.

Have a listen

Trends in the Cybersecurity Landscape Today

Five trends stand out in terms of the future of cybersecurity which warrant close attention as nonprofits build out their future state and strategy:

1. Ransomware

The Institute of Critical Infrastructure Technology reported that 50% of NGOs or nonprofits experienced a ransomware attack in the 12 months preceding their survey. Ransomware is popular because it is highly effective for cybercriminals looking for financial gain. It enters your environment through schemes like phishing and compromised credentials. Organizations often opt to pay ransoms because pulling from backups could take upwards of two to three months. However, payouts are getting larger and more difficult to pay.

2. Attack Sophistication

Cybercriminals are using more sophisticated methods of attack. For instance, they’re using a common methodology for penetration testing, scanning the network for vulnerabilities, entering and deploying ransomware strategically to attack the most critical systems.

3. An Expanding Attack Surface

The potential attack surface has grown. Our phones are connected to the internet, as well as our thermostats, stoves, dishwashers, washing machines and many other technologies. More individuals are working from home, on networks shared with kids’ computers, Xboxes, etc. These are all entry points.

4. Transformation and Security

Organizations and companies worldwide are moving to a cloud-based methodology, pursuing transformation. We're quick to transform to capture cost savings, but we must consider security with every step.

5. Insider Threats

Insider threats are a large threat for organizations. We focus on keeping the bad guys out, but what happens if they get inside the organization? Can we monitor and block them from inside?

Best Practices and First Steps to Strengthen Cybersecurity at Your Nonprofit

To start, your overall goal should be to create a culture of cybersecurity at your organization that is driven and emphasized by leadership. With this in mind, take the following steps to develop an effective cybersecurity program – and culture – at your nonprofit.

Assess and Test

Audit your current IT infrastructure. Assess where you currently are, what you have to protect, where your weaknesses lie and what you can do about them. This is often referred to as a cybersecurity assessment or an IT controls audit penetration test. It will help you gain visibility over what’s happening in your environment so you can design a roadmap for where you want to be and how to get there. A trusted third party should conduct penetration testing, which will help you discover your most glaring vulnerabilities.

Align and Plan

Align the business risk with cyber risk and threats that are relevant to your operations and data, as discovered in your assessment and testing. A consultant with expertise in your industry can help you identify relevant threats to your organization type, the data you protect, your region and more.

Formalize and Document

Document policies, plans and procedures, defining acceptable use and roles in data protection. This includes developing your incident response plans, which outline how you’ll respond to specific incidents and who is involved when. Policies should include expectations for multi-factor authentication and protocols for Bring Your Own Device (BYOD) and remote work. These policies should also outline expectations for volunteers accessing your network and devices.

Educate and Advocate

Educate, train and market on cybersecurity awareness, policies and procedures internally at your organization. This is part of building a culture of cybersecurity, and it should come from the top down. Your people are your best defense against a cyber incident. Understand that there will be conflict between ease of use and cybersecurity. For instance, multi-factor authentication adds steps. Educate your team on the “why” to help them overcome this hurdle and embrace cybersecurity efforts to ensure mission continuity and security.

Practice and Practice

Exercise your incident response plans. Organizations that have these plans and exercise them realize a savings of about 40% on data breaches because they’re able to respond and recover faster. Consider adding “fun,” “outlandish” and “what if” scenarios such as a zombie apocalypse or what happens when someone clicks a malicious link.

The cyber threat landscape is incredibly dynamic and ever-changing. It’s a journey, not a destination. It is imperative you have a strategy that is fluid enough to adapt with this changing landscape.

Dive deeper into cybersecurity planning and best practices in our Cybersecurity Best Practices Guide.

Get the guide