Cybersecurity Within Nonprofits

There is a lot of fear around cyberattacks in organizations. You want to protect your valuable information, maintain your funding and continue to provide resources and services.

The unfortunate truth is the impact of a cybersecurity incident could make this unsustainable. Consider that a majority of small businesses that experience a cyberattack do not recover. Rather, they’re out of business within six months, according to the U.S. National Cyber Security Alliance.

What does this mean for nonprofits?

To begin to answer this question, let’s take the example of the Save the Children Foundation. In 2018, the foundation lost $1 million to a scam conducted via email, known as a phishing scam. Fortunately, this organization was able to recover most of those funds due to their insurance. How would your organization fair should you experience such a scam? What is your threshold for recovery in terms of dollars lost?

As much as there is fear, there is also hope – if you take the right preventative measures and plan your response should an attack occur. Here, we’ll cover the basics of cybersecurity for nonprofits and how to launch or enhance a successful cybersecurity program at your organization.

Cybersecurity Basics for Nonprofits

Cybersecurity is not a simple concept, and it continues to evolve as we change our relationships with technology, as technology itself evolves and as cybercriminals develop new tactics for infiltrating systems. Yet nonprofit leaders, staff and volunteers are primarily focused on their organization’s mission – funding, organizing, executing and reporting. Being cybersecurity experts simply isn’t part of the general mission description and is relegated to IT – which could be one individual on staff or an outsourced service.

It’s not enough to have your IT person on the case. Nonprofits are witnessing a massive shift toward digital-first services and communications. More personal and financial information is being stored digitally as opposed to in wall-to-wall filing cabinets. Practically any member of your team could hand off the digital “key” to a cybercriminal unwittingly.

Cybersecurity is everyone’s responsibility at a nonprofit organization because everyone has access to the network, even with varying levels of access security in place. All executives, board members, staff and volunteers should understand the basics and adopt a culture of cybersecurity.

Here are a few basics to get started:

What is cybersecurity? It is the protection of your IT systems, networks and data from any malicious intent.

What is a cyberattack? It is a malicious attempt to gain unauthorized access to information systems to corrupt or steal the data. Common cyberattack types include ransomware, phishing, denial of service and “man in the middle.”

Why would a cybercriminal target a nonprofit? Cybercriminals don’t give immunity to an organization because it is cause-based and provides a useful or essential service or benefit. If the opportunity is there, they will exploit your organization for a return. Many nonprofits aren’t well defended or up to date on security, so they present as attractive “low hanging fruit.” They’ll likely take less time and effort and result in a quicker payout than a large corporation. Cybercriminals will target nonprofits with valuable data or services they can hold for ransom at consequence or outright steal. It’s not just about the nonprofit, but about the stakeholders the nonprofit is connected to.

What attack types are common for nonprofits? Nonprofit organizations often endure ransomware attacks or fall victim to social engineering plots, such as email phishing scams. In ransomware attacks, cybercriminals identify the most valuable data or function at your organization and compromise it until you pay a specific amount, often within a set timeframe. With social engineering, cybercriminals use deceptive tactics over email, and even phone and text messages, to gain access to your systems and compromise them.

What do cybercriminals want that nonprofits have? Primarily, cybercriminals are looking for financial gain. They don’t necessarily want what nonprofits have – but they can exploit it for money. Nonprofits tend to store personal, financial or other sensitive information about donors and clients. Additionally, many nonprofits are associated with a secondary organization, such as a healthcare or government organization, with data, services and vulnerabilities of its own. If a cybercriminal can compromise any of these, they will have significant leverage.

What are the impacts of a cyber incident on a nonprofit? There are five common impacts to organizations following a security breach or incident.

1. Exposed confidential or sensitive information.
2. Inaccessible organization, donor or client data.
3. Organization’s service delivery and continuity is impacted, leading to potential reputational damage and loss of support and confidence. Consider that donors might choose to fund – or not fund – organizations with cybersecurity concerns in mind.
4. Strain on internal resources and management due to inaccessibility and recovery work.
5. Unplanned costs due to compromised environment, such as legal costs, regulatory fines and identity protection.

How should nonprofits budget for cybersecurity? Formerly, cybersecurity initiatives took only three to five percent of the IT budget. Today, a good cybersecurity strategy should take 10 to 15 percent – 20 percent in some cases. It may sound like a lot, but consider that the global average cost of a data breach in 2021 was $4.24 million. In the United States, the average cost is higher: $9.05 million. Of course, these averages include costs from large enterprises. Globally, organizations with less than 500 employees averaged $2.98 million per breach.

Dive deeper into cybersecurity planning and best practices in our Cybersecurity Best Practices Guide.

GET THE GUIDE

Trends in the Cybersecurity Landscape

Five trends stand out in terms of the future of cybersecurity which warrant close attention as nonprofits build out their future state and strategy:

1. Ransomware

The Institute of Critical Infrastructure Technology reported that 50% of NGOs or nonprofits experienced a ransomware attack in the 12 months preceding their survey. Ransomware is popular because it is highly effective for cybercriminals looking for financial gain. It enters your environment through schemes like phishing and compromised credentials. Organizations often opt to pay ransoms because pulling from backups could take upwards of two to three months. However, payouts are getting larger and more difficult to pay.

2. Attack Sophistication

Cybercriminals are using more sophisticated methods of attack. For instance, they’re using a common methodology for penetration testing, scanning the network for vulnerabilities, entering and deploying ransomware strategically to attack the most critical systems.

3. An Expanding Attack Surface

The potential attack surface has grown. Our phones are connected to the internet, as well as our thermostats, stoves, dishwashers, washing machines and many other technologies. More individuals are working from home, on networks shared with kids’ computers, Xboxes, etc. These are all entry points.

4. Transformation and Security

Organizations and companies worldwide are moving to a cloud-based methodology, pursuing transformation. We're quick to transform to capture cost savings, but we must consider security with every step.

5. Insider Threats

Insider threats are a large threat for organizations. We focus on keeping the bad guys out, but what happens if they get inside the organization? Can we monitor and block them from inside?

Best Practices and First Steps to Strengthen Your Nonprofit's Cybersecurity

To start, your overall goal should be to create a culture of cybersecurity at your organization that is driven and emphasized by leadership. With this in mind, take the following steps to develop an effective cybersecurity program – and culture – at your nonprofit.

Assess and Test

Audit your current IT infrastructure. Assess where you currently are, what you have to protect, where your weaknesses lie and what you can do about them. This is often referred to as a cybersecurity assessment or an IT controls audit penetration test. It will help you gain visibility over what’s happening in your environment so you can design a roadmap for where you want to be and how to get there. A trusted third party should conduct penetration testing, which will help you discover your most glaring vulnerabilities.

Our team of IT professionals has identified 12 questions to help gauge your current security risk areas and assess your overall IT health. Most importantly, the results will provide tips to help you make actionable improvements now.

From data backups to your administrative protocols and password protection processes, this IT quiz will give you some quick wins to take back to your organization. Know how your security stacks up while learning best practices for optimum network stability, disaster recovery, and IT health.