If you’re responsible for a non-profit organization or an association, then you might think, “We’re not a tech giant or a bank. Why would hackers bother with us?” Unfortunately, this line of thinking can get you into serious trouble. In reality, non-profits and associations are increasingly becoming prime targets for cybercriminals.
The Reality of Cyber Threats Facing Non-Profits and Associations
The notion that non-profits and associations are immune to cyber attacks is not only misguided but also dangerous. The stark reality is that these organizations are increasingly finding themselves in the crosshairs of cybercriminals.
According to the 2023 Nonprofit Tech for Good Report, a staggering 27% of non-profits worldwide have fallen victim to cyberattacks. But it gets worse. A study by the CyberPeace Institute in 2023 found that among Geneva-based non-profits, a staggering 41% had been victims of cyberattacks in the past few years. That’s nearly half of all organizations surveyed.
The consequences of these attacks can be devastating. Take the International Committee of the Red Cross (ICRC) for example. In January 2022, they suffered a massive data breach that compromised the sensitive personal information of over 515,000 individuals, including staff, donors, volunteers, and even victims of tragedies from around the world.
Needless to say, the financial consequences of these attacks can be severe. A prime example is the case of Philabundance, a Philadelphia food bank. In a sophisticated phishing attack, cybercriminals managed to swindle the organization out of $1 million. How? By infiltrating their email system and sending a completely fake but highly believable payment request for the construction of a new community kitchen.
Indeed, phishing is one of the most common attack vectors targeting non-profits and associations, together with ransomware attacks, fileless malware, and other threats. But what makes non-profits and associations such attractive targets for malicious actors in the first place? Several factors. Let’s explore the most important ones in the next section of this article.
What Makes Non-Profits and Associations Attractive to Hackers
Non-profits and associations possess a unique set of characteristics that, unfortunately, make them ideal targets for cybercriminals.
Treasure Troves of Sensitive Data
Many non-profits and associations have databases brimming with personal details of donors, members, volunteers, and beneficiaries. We’re talking about names, email addresses, financial information, social security numbers, and more.
In the wrong hands, this data could be used for everything from targeted phishing attacks to corporate espionage. Cybercriminals can also simply sell it on the dark web to other malicious actors around the world or make it publicly available to cause as much reputational harm as possible.
Financial Constraints and Outdated Technology
When every dollar counts, cybersecurity can sometimes take a backseat to mission-critical activities. It’s not that non-profits and associations don’t care about security—it’s that they’re often forced to make tough choices about where to allocate their limited resources.
Together with unrealistic assumptions about their vulnerability to cyber attacks, this can cause them to neglect crucial security measures and rely on outdated technology. The problem is that outdated software and hardware can be riddled with known vulnerabilities that hackers can exploit with ease.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Limited Cybersecurity Expertise
Unlike tech giants or financial institutions, non-profits and associations often lack dedicated IT security teams. Instead, they’re more likely to have a jack-of-all-trades IT person (if they’re lucky) or rely on volunteers with varying levels of tech savvy. This shortage of expertise can be compounded by high turnover rates and heavy reliance on volunteers.
As a result of their limited cybersecurity expertise, 65% of humanitarian organizations consider their cybersecurity practices to be inadequately managed, and the problem gets worse the smaller the organization.
Gateways to Partner Organizations
Non-profits and associations don’t operate in a vacuum. They’re often interconnected with a web of partner organizations and even government entities. While great for collaboration, this interconnectedness can make them attractive targets for cybercriminals looking for a backdoor into larger, more secure organizations.
This tactic, known as a supply chain attack, is becoming increasingly common. In fact, supply chain attacks surged by a staggering 633% in 2022, outpacing malware-based attacks by 40%. The success of these exploits is motivating cybercriminals to double down on this strategy. What’s even more concerning is the lack of preparedness: according to the UK’s Cyber Security Breaches Survey 2023, only 13% of organizations review the risks posed by their immediate suppliers, and a mere 8% consider their wider supply chain.
Insufficient Cybersecurity Employee Training
One of the most significant vulnerabilities facing non-profits and associations is the lack of adequate cybersecurity training for employees and volunteers. According to Hornetsecurity, a staggering 26% of organizations don’t provide any form of IT security training to end-users. Non-profits and associations are sadly among the worst offenders in this regard.
This lack of training is often due to limited resources, high turnover rates, and a general lack of awareness about the importance of cybersecurity. The consequences can be severe as employees and volunteers who are not adequately trained in cybersecurity best practices are more likely to fall victim to common—let alone not-so-common—cyber threats.
Expansive Digital Footprint
Whereas the employees of a typical small to medium-sized business are located in a single office or a few locations, non-profits and associations often have a much more expansive digital footprint. They may have staff and volunteers working remotely from various locations around the world. This distributed workforce can make it challenging to enforce consistent security protocols and monitor for potential threats.
Moreover, the use of personal devices (BYOD – Bring Your Own Device) for work purposes is very common among non-profits and associations, which is another major cybersecurity challenge since BYOD devices may not have the same level of security as those provided by the IT department.
Targets of Ideological Cyber Attacks
There’s one unique threat that non-profits face but most regular businesses don’t: ideological targeting. When certain individuals or groups of people, including nation-state actors, oppose the mission and values of a non-profit they may launch cyberattacks not for financial gain, but to disrupt its operations or damage its reputation.
One common cyber attack launched against non-profits by those who disagree with their mission is a Distributed Denial of Service (DDoS) attack. In a DDoS attack, the perpetrators flood a website or online service with an overwhelming amount of traffic, causing it to slow down significantly or crash completely. This can be particularly damaging for non-profits during crucial periods like fundraising campaigns or when trying to raise awareness about time-sensitive issues.
Protect Your Non-Profit or Association
Non-profits and associations face unique challenges when it comes to cybersecurity, but that doesn’t mean they’re helpless against these threats. With the right strategies and tools, they can effectively protect themselves from cyber attacks.
At OSIbeyond, we understand your specific needs and constraints and are here to help you implement robust cybersecurity measures. Contact OSIbeyond today to schedule a meeting and learn more about how we can help you safeguard your non-profit or association.