The Growing Cybersecurity Challenges Facing Nonprofits
In today’s volatile digital landscape, nonprofit organizations have found themselves increasingly vulnerable to the threat of malware and cyber attacks. As these charitable entities collect and retain more personal data on their beneficiaries, receive donor funds through online channels, and manage critical operations via internet-connected systems, their exposure to the risks of cybercrime has escalated significantly.
Nonprofit organizations are often viewed as “cyber-poor, target-rich” by malicious actors. They are considered easy targets from a technical perspective, yet possess vast troves of sensitive data and oversee the delivery of essential services to vulnerable communities worldwide. The non-profit sector raises over $1 trillion annually, making it a lucrative target for cybercriminals seeking to exploit this digital treasure trove.
While cybersecurity threats impact organizations across all industries, nonprofits face unique challenges in addressing these risks. Operating on well-defined and often limited budgets, many charitable organizations struggle to allocate the necessary resources towards robust cybersecurity measures. Additionally, their leaders frequently lack the time and awareness to research and implement comprehensive digital resilience strategies aligned with their operational realities.
The digital attack surface of NGOs has grown considerably in recent years, accelerated by two key factors:
-
The COVID-19 Pandemic: The global health crisis forced many nonprofits to rapidly digitalize their operations to ensure continuity, introducing a permanent shift in the way they work, communicate, fundraise, and deliver services. This expanded digital footprint has exposed them to a broader array of cyber threats.
-
Reliance on Third-Party Services: Rather than developing their own digital platforms and products, most nonprofits utilize a wide range of third-party tools and services to support their operations. This introduces additional vulnerabilities, as these external providers may not have the same level of security protocols in place.
The Operational Impact of Cyberattacks on Nonprofits
One of the most immediate and tangible consequences of a successful cyberattack on a nonprofit organization is the disruption of its day-to-day operations. In the event of a breach, these charitable entities may find themselves locked out of their own systems, unable to access vital data, and facing the daunting task of restoring normal functionality.
The downtime resulting from such disruptions can severely hinder program delivery, compromise project timelines, and erode the trust of key stakeholders, including donors and beneficiaries. This operational impact can be devastating, as nonprofits rely on seamless operations to effectively serve the vulnerable communities they support.
For example, in early 2020, a nonprofit organization fell victim to a website defacement attack, with their central communication platform redirecting visitors to a Chinese marketplace website. Without a backup of their website, the organization was forced to invest significant time and resources in rebuilding their online presence, which took nearly nine months to complete.
Another illustrative case involves a nonprofit staff member accidentally opening a malware-laden PDF file, leading to the complete encryption of the organization’s data by a ransomware attack. The perpetrators demanded a substantial sum in bitcoin for the decryption of the crucial information, including booking details, financial data, and personal records of staff members. While the nonprofit chose not to engage with the cybercriminals or pay the ransom, they were left with significant operational disruptions due to the loss of recent data not covered by their last successful backup.
The Threat to Donor and Beneficiary Data
In addition to the operational impact, the security of donor and beneficiary data is a critical concern for nonprofit organizations. Many charitable entities manage extensive databases containing highly sensitive personally identifiable information (PII) and personal health information (PHI) on the individuals they serve, as well as financial details and contact information of their donors.
A breach of these data stores can have devastating consequences, ranging from identity theft and social exclusion to the risk of physical harm to vulnerable populations. Criminals may exploit the breached data to extort money from individuals or even target them for further exploitation, especially in repressive regimes where the exposure of personal information could lead to grave consequences for the affected individuals and their families.
The recent cyberattack on the International Committee of the Red Cross (ICRC), which exposed the personal information of more than 500,000 people, serves as a stark reminder of the grave risks nonprofits face in safeguarding sensitive data. The ICRC’s “Restoring Family Links” program, which helps reunite families separated by conflicts and disasters, was the primary target of this sophisticated attack.
Another high-profile case involved the Australian Red Cross, where the personal health information of over 550,000 blood donors was breached and leaked due to human error and poor data handling practices. The fallout from this incident not only threatened the privacy and safety of the affected individuals but also significantly eroded public trust, leading to a decrease in blood donations.
The Financial Impact of Cyberattacks on Nonprofits
While nonprofits may not generate revenue in the same way as for-profit businesses, they still face substantial financial losses due to cyber incidents. These losses can include direct costs, such as expenses related to paying ransoms, investigating breaches, restoring systems and data, as well as potential legal fees or regulatory fines.
Moreover, there are indirect costs that can be even more damaging, such as the loss of donor trust and disruptions to program delivery. As charitable organizations rely heavily on public goodwill, a successful cyberattack can severely erode trust, leading to decreased donations and funding – a devastating blow to their ability to fulfill their missions.
For instance, in 2019, a Geneva-based nonprofit organization fell victim to a sophisticated Man-in-the-Middle (MitM) attack, where cybercriminals intercepted and altered an invoice, diverting $23,000 to a fraudulent account. This incident had a significant operational impact, forcing the organization to consider closing its doors or taking out a personal loan to cover the loss.
Similarly, in 2020, the humanitarian nonprofit organization Roots of Peace in San Francisco, California, was targeted by a CEO fraud scheme, resulting in the unwitting transfer of over $1 million to a Hong Kong-based account. This devastating financial blow threatened the organization’s ability to continue its critical work, converting minefields into arable farmland in former war zones.
Embedding Cybersecurity in the Non-Profit Sector
Cybersecurity should not be viewed as an isolated investment for nonprofits, but rather as a long-term enabler to leverage technology safely and sustainably in pursuit of their missions. By recognizing cybersecurity risks as threats to operational continuity, data privacy, and institutional viability, nonprofit leaders and their donors have a responsibility to prioritize digital resilience.
Through the CyberPeace Builders program, the CyberPeace Institute provides free cybersecurity assistance to more than 250 nonprofit organizations worldwide. This flagship initiative connects corporate volunteers with charitable entities to help them assess their digital vulnerabilities and implement actionable steps to strengthen their cybersecurity posture.
By proactively addressing the growing malware threat and investing in robust cybersecurity measures, nonprofits can safeguard their operations, protect the sensitive data of their donors and beneficiaries, and ensure the long-term sustainability of their vital work. Cybersecurity is no longer an optional consideration, but a critical imperative for charitable organizations in the digital age.
To learn more about the CyberPeace Institute’s efforts to support the non-profit sector, visit https://itfix.org.uk/.
