General

Cybersecurity Risks Continue For Nonprofits

02.23.23 | Linda J. Rosenthal, JD

One in four nonprofits worldwide have experienced a cyber attack: email phishing, website hacking, ransomware, social media attacks, or a similar intrusion. That’s according to the just-released 2023 Nonprofit Tech for Good Report.

There is a widespread and persistent misconception that nonprofits, especially smaller ones, hold little interest as potential targets to cyber criminals. But this risk is real and has been growing year by year. The hackers have become increasingly sophisticated in circumventing counter measures. And during the pandemic, the danger grew exponentially, as the chaos and disruption created easily exploitable opportunities for wrongdoers.

Odds of a potentially catastrophic security incident that are exceed 25% are unacceptably high. This threat should not be ignored.

Consider that statistic in perspective: Our friends and neighbors who regularly buy powerball tickets with billion-dollar-plus payouts are counting on odds recently pegged at 1 in 306.2 billion. That’s equivalent to the chance one individual will be struck by lightning 250 times during a lifetime.

Why Have Nonprofits Been Slow to React?

In our first post on this topic, we wrote: “Hacking is big news these days. There is a false belief that cyber threats are aimed at major businesses, governments, news organizations and other political targets.” But “[t]he reality is sobering: ‘Cyber threats are a factor for any organization with digital record-keeping. Hackers do not care what you do, only whether you have records they can harvest.’” Nonprofits and Cybersecurity: Make it a Priority (November 30, 2016) [cyber security should be a “part of any nonprofit’s ongoing risk management strategy.”]

A year later, in Key Cybersecurity Threats for Nonprofits (November 22, 2017), we observed: “Unless you’ve been living under a rock, you know by now that the ‘hacking’ threat is more pervasive than anyone previously thought.” But, then and now, a “huge obstacle to taking precautions is the highly technical, complex nature of this 21st-century crime. Most people, including nonprofit board members and senior staff, know they should tackle cyber security right away, but whenever the issue is raised, all they hear is, ‘Blah, blah, blah, computer, blah, blah, back door, blah blah ….’”

As the National Council of Nonprofits currently explains at its Cybersecurity for Nonprofits website section: “If your nonprofit engages in any of the three activities below, it’s time to get serious about taking steps to address cybersecurity risks. Does your nonprofit:

Conduct e-commerce on its website, such as processing donations or event registrations?
Store and transfer (such as by sending to the cloud) “personally identifiable information,” about anyone, including donors? (Common examples of personally identifiable information include: clients’ medical information; employee records, including drivers’ licenses, addresses, and social security numbers.)
Collect information on preferences and habits of donors, patrons, newsletter subscribers, etc.”

NCN advises: “It makes sense for EVERY nonprofit to – at a minimum – assess the risks of a data security breach, and protect its data from unauthorized disclosure.”

Resources

For a current overview of the threat of cyber crime generally, the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), has helpful reading materials including: Begin the Conversation: Understand the threat environment and StopThinkConnect toolkit.