Small and medium-sized businesses (SMBs) are a more frequent target of cybercrime than large companies, and small nonprofits face an even higher incidence of high and critical-severity attacks.
On the surface, the trend toward attacks focused on smaller organizations may seem counterintuitive. There are obviously more lucrative targets for cybercriminals than a small nonprofit organization, and hitting large commercial targets is less likely to generate public outrage. Given the risk and presumably low payday, why is this sector seemingly painted with such a big bullseye?
Let’s examine five reasons why nonprofits are a common target and discuss how your organization can defend against potentially disastrous attacks.
1. Attackers know nonprofits operate under financial constraints making them likelier to have weak cyber defenses
All businesses have financial constraints, but the pressure to keep costs down is especially intense for nonprofits, where money spent on operations is seen as money that can’t be used to support the organization’s mission. Nonprofits are reluctant to commit to overhead spending, and many donors hesitate to give money that would go toward costs not directly related to programs.
According to the National Council of Nonprofits, 88% of America’s 1.3 million charitable nonprofit organizations operate on an annual budget of $500,000 or less. Given the pressure to spend that money on providing services and paying staff, there is little budget available for expenses beyond the core programs.
Unfortunately, cybersecurity protection falls under “overhead spending.” Funding for security technology, or even for IT upgrades in general, is likely not a top priority. Many nonprofits — especially smaller organizations — lack adequate cybersecurity defenses as a result, leaving them vulnerable to attack. Attackers know this.
2. Budget challenges mean outdated PCs, operating systems and limited cybersecurity training
The cybersecurity threat landscape is quickly and constantly changing. Computers, operating systems and other technology such as smartphones and tablets must be up-to-date to avoid a constant stream of vulnerabilities. Any connected equipment left unpatched gives the adversary an opportunity to gain access to the organization.
For-profit businesses know the costs of cyberattacks and the damage a breach can cause. Depending on the sector, they spend anywhere from 3% to 13% of their annual revenue on IT, with smaller nonprofits spending a greater percentage. However, many nonprofits are unable to match that level of spending.
Budget challenges affecting cybersecurity extend to general IT. Some nonprofits rely on PCs donated from businesses and individuals who no longer need them. Staffing is also affected; nonprofits often rely on volunteers to fill many roles. Due to financial constraints, cybersecurity training is superficial — if it happens at all. This heightens their risk from common tactics such as phishing.
3. Nonprofits are a source of valuable data
Although they are often much smaller than a typical corporation, nonprofits remain a valuable target for adversaries. For example, some nonprofits sell merchandise or services on their websites and store purchase-related information on their network. Infiltrating one of their servers could lead attackers to donors’ credit card and banking information. While it’s not anywhere near the scale of a major retailer like Amazon, a nonprofit presents adversaries an opportunity to steal customer data they can then use to achieve their goals — and possibly prove the adversary’s worth to larger, more prolific networks of hackers.
Financial data isn’t the only information at risk. Many donors may be people or organizations whose status and/or resources make them potential targets. Access to their data may be enough reason to attack a nonprofit. It’s also highly likely employee data is stored locally, including personal information such as Social Security numbers, home addresses, phone numbers and banking data. This data can end up being sold on the dark web, leading to serious consequences such as identity theft, financial loss and an impact on the credit scores of employees who are affected.
Unfortunately, there are many examples of nonprofits being targeted by cyber criminals for their data. An attack in 2019 impacted one of western New York’s largest nonprofits, resulting in a breach that exposed sensitive data including the names, addresses, Social Security numbers, financial data, government IDs, medical information and health insurance details of 1,000 clients.
4. Nonprofits may be political or terrorist targets due to the causes they represent
Not all cyberattacks are motivated by profit. In some cases, a political or social element is involved, especially when the target is a nonprofit organization. Support for certain causes can make nonprofits a target for so-called “hacktivists” or even state-sponsored cyberattacks on the other side of the issue. The goal in these cases is often to disrupt the nonprofit and prevent it from accomplishing its mission.
A prime example of this is the Russian invasion of Ukraine. In the leadup to this war, CrowdStrike tracked a significant increase in malware attacks against Ukrainian companies and media outlets. It has been reported humanitarian organizations providing aid to Ukrainian refugees and other non-government organizations (NGOs) have also come under cyberattack. Another prominent example took place in late 2022, when Amnesty International suffered a data breach linked to the Chinese government, which Amnesty has criticized for human rights violations.
5. Nonprofits can provide access to larger targets through supply chain connections
Nonprofits are part of the software supply chain. They likely have login credentials or online access to other companies they do business with; for example, ordering products and services, processing payments and conducting financial operations.
This connection, combined with their weak security posture, means attackers may see a nonprofit as a stepping stone to a more lucrative target. They could gain access to the weaker network and use that connection to sneakily establish a foothold within a much larger and better-protected target.
Nonprofits need a better approach to cybersecurity
The message is clear: a nonprofit’s mission or charitable status doesn’t offer protection from cyberattacks. If anything, analysis shows these organizations are key targets and are being attacked with alarming frequency. Even small nonprofits can be the target of an attack — with devastating results.
Modern cybersecurity protection is not an option — it’s a must. Unfortunately, traditional antivirus used by SMBs, including many nonprofits, are unable to keep up with the pace and complexity of today’s ransomware and cyberattacks.
Nonprofits would do well to deploy user-friendly, cloud-based cybersecurity solutions that are more comprehensive than AV tools, but which don’t require the expertise and dedicated resources of a complex threat analysis platform. This is especially true for smaller nonprofits with less IT budget and less staff expertise in cybersecurity.
Fortunately, the advent of AI-powered cybersecurity is making it easier for users of all skill levels to deploy protection that’s capable of stopping the modern cyberattacks that antivirus solutions often miss. Look for solutions that can be deployed quickly, verify their protection stats, and offer protection against data theft.
Nonprofits should look for endpoint security solutions that have been validated by independent, third-party industry analysts, such as Gartner, Forrester, and IDC, or which have been tested and proven by hands-on testing labs like SE Labs.
Don’t overlook the possibility of pro-bono cybersecurity support, either. Nonprofits with a small number of endpoints (laptops, computers, servers, smartphones, printers and other devices that connect to its network) can often apply for free access to cybersecurity protection from leading cyber companies.
For more information, nonprofits may want to consult CrowdStrike’s free SMB Cybersecurity toolkit, which offers valuable guides to cybersecurity that are aimed at smaller organizations, including a 2023 cybersecurity checklist, how to create a cybersecurity budget and how to create an employee cybersecurity awareness training program.
Cybersecurity is a challenge for all small organizations, and especially so for budget-constrained, mission-driven nonprofits. But there are solutions, and with a comprehensive approach and a little preparation, nonprofits can achieve a dramatically improved security posture in short order.
Lisa Campbell is the Vice President SMB at CrowdStrike.