(Image From Deposit Photos)
By Erich Kron
Nonprofit organizations are not immune to modern ransomware demands as demonstrated last year with the attacks against OneBlood, the Alder Hey Children’s Hospital, the Albyn Housing Society, Paris-Saclay University, and the Hong Kong Consumer Council, demonstrating a growing global problem. This trend of attacking nonprofits poses a significant threat to groups that are dedicated to serving communities.
Nonprofits often operate with limited resources and even smaller cybersecurity budgets, making them a prime target for cybercriminals. The consequences when a nonprofit is hit by ransomware can be devastating. It leads to operational disruptions, financial loss, and even the exposure of sensitive donor and client information.
The lack of dedicated information technology (IT) staff can also be a significant challenge for nonprofits because managers often must rely on small IT teams or even volunteers, many of whom might not have expertise in cybersecurity. This makes it harder to implement strong security measures or apply security consistently when multiple people are trying to help. Some nonprofits enlist outside organizations to provide IT and cybersecurity services. At the end of the day, the balance between spending on IT and cybersecurity services and performing the organization’s mission can prove to be a major challenge.
Cybercriminals understand that nonprofits depend on trust and goodwill from donors and stakeholders. They exploit these organizations knowing that many leaders might feel pressured to pay the ransom to quickly resume operations and avoid damaging the nonprofit’s reputation.
The financial burden of a ransomware attack is particularly harmful to nonprofits, which often struggle to allocate funds for cybersecurity measures. The more the organization spends on cybersecurity, the less is available to put toward mission, posing quite a dilemma. Additionally, valuable personal and financial data about their donors and beneficiaries is stored, making them even more attractive targets.
Attackers typically demand the ransom be paid in cryptocurrency, such as Bitcoin, Ethereum or USD Coin, in exchange for a decryption key and a promise not to publicly publish the stolen data. Paying the ransom is no guarantee that data will be restored. According to Sophos, only 8% of businesses that pay ransoms managed to get back all of their data. Paying the ransom only serves to further incentivize criminals to continue their attacks on other vulnerable organizations.
The impact of ransomware extends beyond financial losses. Service disruptions can mean that vital assistance is delayed or halted entirely, affecting communities that rely on these organizations for food, shelter, healthcare, or education. A breach of sensitive information can lead to long-term reputational damage, making it difficult for nonprofits to secure future funding and support.
Preventing ransomware attacks requires proactive measures and a careful balance of cost and effectiveness against the threat. Nonprofit leaders must invest in cybersecurity training for staff and volunteers to recognize phishing attempts and other cyber threats. Regularly updating software and operating systems can help patch vulnerabilities that cybercriminals can exploit.
Implementing strong access controls, such as multifactor authentication, can limit unauthorized access to critical data due to credential theft or poor credential hygiene. Backing up data frequently and storing backups offline ensures that you can recover the information without having to pay a ransom.
A issue for nonprofits of all sizes lies in the ability to keep software and devices patched and up to date. Few nonprofits have a resilient patch management program. Out of date software is a vulnerability that cybercriminals love to exploit so keeping devices up to date with the latest security patches is a critical step in protecting your organization.
While some internet service providers automatically update things such as the provided modem or router, many do not take on that responsibility. Because these devices sit directly on the internet, the danger is extreme when there are security vulnerabilities found. Most internet service providers (ISPs) will help customers learn how to update their internet hardware. This can be a very valuable resource protecting your organization.
The growing reliance on digital tools in nonprofit work means that cybersecurity must become a priority. While ransomware attacks can be devastating, organizations where leaders take preventive steps can reduce their risk and safeguard their missions. Taking steps to address human risk management, such as educating nonprofit leaders and staff about these threats, is one of the most effective ways to prevent cybercriminals from taking advantage of their vulnerabilities.
A strong cybersecurity posture and well-trained staff helps ensure that you can continue your vital work without the fear of disruption from malicious actors.
This is a frustrating dilemma as every dollar spent on cybersecurity is one less dollar to spend on providing services. That said, remember that a data breach can be catastrophic for the very people for whom the organization is providing services, so it must be taken seriously.
*****
Erich Kron is a security awareness advocate at KnowBe4, a cybersecurity platform that addresses human risk management. He is the former security manager for the US Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications.
