As the cybersecurity threat has increased for organizations across the board, cybercriminals have targeted nonprofits and nongovernmental organizations (NGOs) with even greater intensity. As a result, your nonprofit organization should make cybersecurity a top priority to ensure that your worthwhile mission will continue.
Nonprofits and NGOs Have Insufficient Cybersecurity
A recent NetDiligence Cyber Claims study found that nonprofits are one of the top five industries most affected by cybercrime. Nonprofits and NGOs raise more than $30 billion annually, which draws the attention of threat actors. Another main reason these organizations are targeted is because they more often lack the staff and financial resources for effective cybersecurity in comparison to corporations. Research by the CyberPeace Institute revealed that only 1 in 10 NGOs trains its staff regularly on cybersecurity, only 1 in 4 actively monitors their networks, and only 1 in 5 have a cybersecurity plan in place.
In addition, many nonprofits and NGOs are engaged in humanitarian missions at home and/or abroad with a wide range of electronic communication necessary with the people they serve as well as with their donors and employees. The more devices and network connections used by these different stakeholders increases the risk of exposure to hackers. A large number of charitable organizations also operate in areas with less developed communication infrastructure, which makes them more vulnerable to cyberattacks.
Even smaller nonprofits who think they might be passed over because of their size are preferred targets of malicious actors. Cybercriminals see these small organizations as prime opportunities because they can provide a gateway to the financial and personal information of their individual and corporate donors, employees, and partners.
Notable Recent Cyberattacks on Nonprofits and NGOs
Some notable cyberattacks on nonprofits and NGOs are summarized below.
International Committee of the Red Cross (ICRC)
In a supply chain attack, cybercriminals used stolen identity data to access the network of a third-party contractor to the ICRC. These hackers were then able to gain access to the networks of more than 60 Red Cross and Red Crescent “national societies.” The criminals obtained the sensitive personal information of more than 515,000 individuals including staff, donors, volunteers, first responders, and most insidiously, victims of tragedies from around the world. One cyber expert stated that this January 2022 attack was the greatest ever security breach of any humanitarian organization.
The Philadelphia Food Bank Philabundance was swindled out of $1 million after cybercriminals infiltrated their email system through a recent phishing attack. The scammers used credible information found in the nonprofit’s email system to request payment for the construction of a new community kitchen, and Philabundance wired them the funds. To their credit, local businesses made up this deficit with donations, and cybersecurity experts offered pro bono services to assist Philabundance in improving their cyber hygiene and network defenses.
An organization that took in donations to support the Truckers’ Convoy in Canada was hit with a Distributed Denial of Service (DDOS) attack, which temporarily took down their website. A DDOS is a cybercrime where the attacker floods a server with internet traffic that prevents users from accessing connected online services and sites. This was an example of a political cyberattack on a nonprofit organization without a financial motive.
Blackbaud is one of the world’s largest providers of financial and fundraising technology for nonprofits and universities. In another notable supply chain attack, cybercriminals gained unauthorized access to Blackbaud’s donor software program for nonprofits called Raiser’s Edge. Through sophisticated hacker techniques, these malicious actors were able to avoid detection and were able to access customer data for months. Blackbaud paid an undisclosed ransomware amount to the cybercriminals to resolve the issue, but they have come under criticism for their delay in revealing this attack to clients. The extent their customer data was compromised is unknown, but Blackbaud did offer dark web monitoring services to try to limit any future damage. In response to this incident, some nonprofit clients such as Save the Children stopped using Blackbaud applications.
Steps to Take to Improve Nonprofit Cybersecurity
In response to the growing threat of cyberattacks, nonprofits and NGOs can take concrete steps to meet cybersecurity challenges. Your organization needs to invest in powerful antivirus tools, firewalls, and ZeroTrust cloud security architecture as well as provide your staff with thorough training and regular communication on good cyber hygiene. Multi-Factor Authentication (MFA) and strong password management policies are also important.
Your nonprofit organization should also limit staff access to sensitive personal client and employee information and consider verbal verification protocols for any significant financial transactions. Special attention should also be paid to restricting privileges to sensitive systems to necessary employees as well as selected third parties. Your organization should also carefully vet all third parties that will have access to your networks and verify that their networks and systems are well protected.
In addition, your organization should use encryption and a secure website to lock down your digital donation system. This is a specific area that cybercriminals will target because of the amount of sensitive financial information being exchanged and entered.
As a failsafe option, your organization should have robust backups in place and purchase cybersecurity insurance to mitigate the impact of any successful ransomware attacks.
Finally, if your financial resources are limited, your organization should consider contacting companies that provide discounted or pro bono cybersecurity help. For example, the CyberPeace Institute has the CyberPeace Builders program, which offers support and shared resources to help organizations prepare for, prevent, and recover from cyberattacks. This institute is currently helping more than 80 NGOs and nonprofits with improved cybersecurity.
Work with a Cybersecurity and IT Support Partner
The most important recommendation we can give your nonprofit organization is to consult and work with a trusted IT cybersecurity expert, such as Network Depot, to protect yourself against this growing threat. Your IT partner will help you select and implement the right cybersecurity tools and solutions that will work best for your unique nonprofit objectives.
By knowing and understanding these cybersecurity threats and with the assistance of your trusted IT Support partner, your nonprofit organization will be confident that you are well protected. Secure with this knowledge, your organization will be able to keep its focus on achieving your unique mission.