Cybersecurity for nonprofits: Why it’s time to close the gap

  • Connect and support people
  • Nonprofit organizations today face unprecedented challenges to cybersecurity. Here’s what the latest research tells us about the threat landscape, as well as what nonprofits can do to secure their missions.

    It’s becoming increasingly difficult for nonprofits to ignore the technology gap. The resulting costs of vulnerabilities, downtime, and disruptions can be severe, both to the organization and the mission it serves. From the confidence of donors to the ability to deliver critical services, much depends on a nonprofit’s digital maturity.

    Cybersecurity remains a key area for improvement: in the United States, almost half of nonprofits have experienced a security breach in the past 12 months. However, even though 74% of nonprofits see digital transformation as a high-level necessity, only 12% have made changes that score them high on the Nonprofits Digital Maturity Index.

    But as you’ll see, most nonprofits have yet to properly invest in adequate preparedness and prevention.

    Why nonprofits can’t afford to neglect cybersecurity

    The sheer volume of attacks in the nonprofit sector is part of a broader evolution of the threat landscape. A deep analysis of trillions of signals by Microsoft found that 4000+ identity authentication attacks alone were blocked every second in 2023.

    The same report notes the significant rise of hacktivism and attacks by nation-state actors, both of which tend to target the NGO/nonprofit sector. In fact, of the industry sectors targeted by nation-state actors, NGOs make up 17%.

    The persistence of common cybersecurity threats for nonprofits

    Hacktivism and nation-state attacks aside, nonprofits face a number of common but serious threats. Perhaps due to the prevalence of unpatched systems and the use of third-party vendors, nonprofits remain vulnerable to data exposure, breaches, and theft.

    Let’s take a closer look at four common cybersecurity threats to nonprofit organizations:


    This is a form of deception that lures unsuspecting people into divulging sensitive information. Scammers use deceptive emails, websites, and other messages to dupe recipients into sharing passwords or account information. A successful phishing attack can lead to data loss, operational disruptions, and serious reputational damage.

    Phishing attacks thrive on exploiting human psychology and creating confusion. Cybercriminals capitalize on this confusion to gain unauthorized access to private data or wreak havoc in the digital world.

    In 2021, Nobelium gained access to the Constant Contact account for USAID. The group used this access to launch a widespread phishing attack, with government agencies and non-governmental organizations among its primary targets.


    Ransomware infiltrates computer systems and holds files and data hostage, usually demanding a ransom payment in exchange for a decryption key. Given the nature of ransomware attacks, the cost can be significant.

    Ransomware can cripple businesses, halt operations, and expose sensitive information. From a financial perspective, the average cost of a ransomware attack was more than USD4.5 million in 2022. In 2020, Save the Children (a nonprofit) fell victim to the Blackbaud security breach, a large-scale ransomware data breach.


    Bad actors use spyware to snoop, track, and report on online activities without the knowledge of their targets. Spyware often “piggybacks” on seemingly harmless downloads or attachments, before stealthily monitoring keystrokes, browsing habits, and other activity. The result can be the compromise of sensitive information, fraud, and even blackmail.

    Recently, ESET Research detailed how a group of cybercriminals known as Evasive Panda used spyware to target an international NGO in China and then spy on users of certain Chinese software.

    DDoS attacks

    A DDoS (Distributed Denial of Service) attack is designed to overwhelm and hamstring online services or websites by flooding them with an avalanche of traffic from a network of compromised computers. DDoS attacks can be massive and sustained, often utilizing a legion of hijacked devices (known as a botnet), to amplify the onslaught.

    For a nonprofit with weak or inadequate cybersecurity infrastructure, a DDoS attack can disrupt digital operations entirely. In a most brazen recent example, Russian hackers used a DDoS attack against the NATO website, hampering the organization’s ability to provide earthquake relief to Syria and Turkey.

    The qualitative cost of cyberinsecurity

    Cybersecurity is a matter that can affect all aspects of a nonprofit. This includes reputation. Will donors want to work with organizations that cannot keep their data secure? If they cannot trust an organization to protect sensitive information, why should they trust it with a donation or partnership?

    Speaking of fundraising, disruptions that arise from cybersecurity issues can directly impact an organization’s ability to conduct fundraising activities. If the website or CRM software should go down because of a DDoS attack, for example, fundraising efforts might be affected.

    On the one hand, resulting technical issues themselves might inhibit key fundraising processes (outreach, payment processing, etc.). On the other hand, donors might have second thoughts about funding organizations that are prone to cyberattacks or cannot protect sensitive data. Of course, achieving digital maturity and, by extension, strengthening cybersecurity posture, has its benefits. Digitally mature nonprofits are:

    • 1.9x more likely to have experienced improvements in efficiency or mission impact
    • 3.5x more likely to have motivated employees
    • 1.7x more likely to report a healthy workplace culture
    • 1.3x more likely to have lower levels of staff burnout

    Barriers to cybersecurity adoption in nonprofits

    We’ve briefly mentioned the lack of resources, funding, and capacity that may inhibit many nonprofits. These and other factors tend to stand in the way of a stronger cybersecurity infrastructure:

    Inadequate funding and board engagement

    Fundraising and the allocation of available funds is daily work for any nonprofit. For many — even those that understand the importance — cybersecurity is not always a priority. Two thirds of nonprofits (66%) surveyed by NetHope reported underfunded cybersecurity programs. And 34% don’t engage their board on the topic, or only do so in response to an acute need.

    Limited time and resources “on the ground”

    In nonprofits that are already stretched thin, cybersecurity often takes a back seat. For instance, we know that cyber risk assessments can reveal important areas for improvement — improvement that can make a big difference. Unfortunately, 43% of nonprofits say the time commitment required prevents them from conducting such an assessment. Another 40% say they don’t have the personnel to perform the assessment in the first place.

    Lack of adherence to cybersecurity best practices

    Without even the ability to perform a risk assessment, it’s not surprising that many organizations — nonprofits included — fail to adhere to even basic security best practices. An analysis of ransomware response engagements from Microsoft found that “low maturity security operations” were present for 62%, characterized by “ineffective security operations and limited data protection.”

    However, the same analysis found that “over 80%of security incidents can be traced to a few missing elements that could be addressed through modern security approaches,” and that “basic security hygiene still protects against 98% of attacks.”

    Cybersecurity best practices for NGOs

    Despite persistent lapses in cybersecurity, nonprofits can make significant progress simply by following a few best practices. First and foremost, establish basic cybersecurity best practices, such as multi-factor authentication, software patching, and awareness training. In its annual Cyber security breaches survey, the UK government highlights four critical aspects of so-called cyber hygiene:

    • Established password policies
    • The use of network firewalls
    • Restricting admin rights
    • Policies to apply software security updates

    But nonprofits must move beyond simple best practices, if they hope to achieve digital maturity. This includes strategically budgeting for cybersecurity based on known risk, competitive landscape, and evolving need. See Cybersecurity for Nonprofits from the National Council for Nonprofits for an expanded list of assessment tools, GDPR best practices, and other important resources.

    This effort should coincide with the implementation of a cybersecurity framework, such as NIST Cybersecurity Framework (National Institute of Standards and Technology) or CIS Critical Security Controls (Center for Internet Security). Reference CISA’s Known Exploited Vulnerabilities (KEV) list, too, a free and open logging solution (view the full KEV catalog here).

    Finally, consider implementing a threat detection and response solution at a special pricing for NGOs. These solutions are capable of automatic threat detection for all endpoints, robust security policies, and the isolation of compromised devices. Coupled with remote management, you’ll be able to handle updates and patch management in one place, among other cybersecurity best practices for nonprofits.

    Want to learn how you can protect your nonprofit organization with enterprise-grade security?

    For an exclusive discount, talk to a TeamViewer expert today.