By Richard H. Levey
The weakest elements of a nonprofit’s cybersecurity defense drank coffee in the breakroom this morning. Or perhaps they skipped the coffee, so they were not as sharp when they received an email requiring a software upgrade. As a result, several clicked on it without making sure the so-called upgrade was legitimate.
If they did click on the link in the email, hopefully it was part of a test of employee cybersecurity savvy. “We’ve been doing tests through [security awareness and training firm] Knowbe4 for about five years,” National Council of Nonprofits (NCN) Chief Operating Officer Rick Cohen said. “The pattern I’ve seen getting the most clicks are our phishing emails that look like an email from Zoom saying somebody needs to update their Zoom software.”
Cohen was not implying the video call service firm was especially vulnerable, merely that messages appearing to come from a reputable vendor can compromise the systems of those engaging with them. A first, cautious step might be looking at the sender email address. “If it’s Zoom, it’ll be from something@zoom.us,” Cohen said. If it’s update-zoom.us, that’s a different place.
“A software update seems innocent,” Cohen said. “It’s not asking you to put in your password or any information. It’s just asking you to click to get the latest version.”
Fake updates aren’t the only lookalike emails that cause unwanted clicks. Artificial intelligence programs have become better at scooping up written language patterns used by organization officials, resulting in emails to lower-level staff requesting financial transfers or system access information. The ability to mimic an individual’s written voice can result in recipients granting those requests without confirming them.
The result of all these innovations by digital no-goodniks has been increased malicious activity. During 2023, 105 nonprofits were compromised, up from 72 a year earlier, according to the San Diego, California-based Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report. System and human error made up the second-largest category of identified attack vector, surpassed only by cyberattacks, per the ITRC’s report.
NCN does not capture sensitive information, such as Social Security numbers, and does not store information such as credit card numbers, according to Cohen. That said, there is a drive to present best practices to its immediate constituency of state associations of nonprofits, as well as the nonprofits under each state association’s purview.
For Cohen’s part, that means staying on top of the ever-changing world of cyberthreats, which morph as the nature of office work changes. “You can fall prey to a scam no matter where you are,” Cohen said. Vulnerabilities increase as nonprofit leaders allow remote work. Home-based laptops might not be protected under the same firewalls as in-office computers, and public WiFi systems such as at a coffee shop or an airport lounge, offer additional susceptibility.
There is a tradeoff, of course: If a bad actor does get into an office computer, chances are the machine is part of the nonprofit’s network, allowing for greater damage.
A given nonprofit’s ability to safeguard against cyberattacks depends on the resources its leaders can draw on. At the most basic level, a nonprofit should be taking the same security steps a home user would perform, such as running antivirus software and installing verified updates and security patches, according to Ann Fellman, chief marketing officer at Indianapolis, Indiana-based nonprofit donor management software provider Bloomerang.
“Smaller organizations don’t necessarily have dedicated on-staff security or IT personnel,” Fellman said. “Following up on antivirus software a lot of times will fall on staff or volunteers,” she added.
Intermediate-level protection includes employee training, whether provided through an online resource center or from a retained security consultant. Part of that would be taking an active hand in access controls, such as restricting enterprise-wide systems privileges to a select few. Most employees don’t need access to membership and financial and fundraising and operational data, and policies regarding who has access to what should be codified and periodically reviewed. “You should have different [security] training based on the level of authority or access,” Fellman said. Access itself should be based on job duties, as opposed to title or level.
Beyond that, nonprofit managers should consider which of their data should be encrypted, whether it is in transit or at rest in a file. Encryption protocols go a long way toward mitigating the effects of breaches. Hackers may access data, but it might not be useful to them or anyone who might want to buy it. “At this intermediate level [of security protection], a nonprofit might partner with an IT staff or have a managed security service partner,” Fellman said.
The next level up would be de rigueur for any large nonprofit, especially those handling sensitive information. “They’re going to have stronger controls and policies in place,” Fellman said. These measures often incorporate multifactor authentication and advanced threat detection systems that include honeypots, which attract potential miscreants and are carefully monitored by security personnel.
“What’s most important is to know where you are in your security maturity framework,” Fellman said. Gaining that type of knowledge might involve a tabletop exercise, which would start with discussions about news items about data breaches at other organizations and have a nonprofit’s leadership and employees go through what their actions would be.
“You don’t need a security expert sitting at the table to prompt you,” Fellman said, adding that an initial step would be making sure everyone understands what a ransomware attack, which involves an outsider freezing systems with the expectation of a payoff, would entail. Nonprofit leaders who would want a guide could tap their network, or their board’s network, for a consultant who would volunteer time and expertise.
One reason why nonprofits might not have the same strong safeguards commercial enterprises have is cost. While the nonprofit community has access to low- or no-cost options regarding training (see below), implementing systems and retaining or hiring IT/cybersecurity professionals can add up and that can be problematic for nonprofit leadership.
“This is one more reason why the overhead myth needs to go away completely and permanently,” the NCN’s Cohen said, referring the tendency of funders to penalize nonprofits that report high administrative costs. Cybersecurity might represent an expense nonprofit leaders might not be willing to tolerate.
“The overhead myth is one of the things that has caused a number of nonprofits to underinvest in cybersecurity,” Cohen said. “The last thing any nonprofit wants is to be in the news because its system got hacked. If Target gets hacked, people complain for a couple of days and then they’re right back in the aisles. When a nonprofit gets hacked, it’s a lot harder to bring donors back when they’re worried about their information being compromised.”
System defenses can be strengthened, but the first line of defense involves shoring up vulnerabilities around workers. Nonprofits that rely on volunteers might be more vulnerable, especially if the volunteers are in the field, whether as part of normal operations or an event that feeds data into a central repository.
“One thing that organizations should be doing – and this is for staff and volunteers – is following a policy of least access,” Cohen continued. At a minimum, systems used at events should take in information, and have no links to other operations. But least access, a policy affirmed throughout the cybersecurity community, goes beyond that.
Cybersecurity is one area where the joke about the horrors of the line: “I’m from the government and I’m here to help” does not apply. The folks at the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) have been focused on what they call “high-risk communities” since February 2023. In early April 2024, CISA launched a resources page for both cybersecurity-focused individuals and organizations (https://bit.ly/4b7K2fG)
The page includes self-assessment tools, exercises and links to free and low-cost helplines and other resources for nonprofits and others in the high-risk community. It also provides links to organizations such as NetHope (https://bit.ly/3JPiobl) and NTEN (https://bit.ly/3y1Xnaz), which offer resources, and in some cases, financial assistance for eligible nonprofits to start evaluating their cybersecurity vulnerability. A separate page offers discussion guides for nonprofits wanting to hold tabletop exercises (https://bit.ly/4bo3u7w).
“The goal of this was to support the cybersecurity of communities we know play a critical role in advancing democracy and upholding human rights that don’t necessarily have the same level of cybersecurity support traditional infrastructures get,” Emily Skahill, cyber operations planner at the Joint Cyber Defense Collaborative, a consortium of cybersecurity-focused stakeholders from around the world housed within CISA, said. For non-technical people, CISA also offers Project Upskill (https://bit.ly/4b7d3YV), a series of six modules that provide cybersecurity fundamentals for individuals.
At CISA, the focus is less on ransoming situations — malware that locks users out of a website — and more on “hacktivism,” such as the malicious use of stolen data or inappropriate access to internal systems for the purpose of undermining an organization’s mission. “That was the lens through which we were taking cybersecurity for nonprofits, looking at threats that come from the digital transaction repression angle,” Skahill said.
She acknowledges the diversity of cyber protection standards among nonprofits. “There is a subset of nonprofits – for example Access New [which defends and extends digital rights among at-risk people and communities around the world] and Amnesty International – where a core part of their mission is the digital security aspect and helping other humanitarian organizations secure their networks, or when journalists are targeted with spyware,” she said.
