The vital role of cybersecurity for Nonprofits: A deep dive 

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the Children continue their mission-driven work, they face an ever-growing array of cybersecurity challenges.

In this blog post, we delve into these issues and explore solutions with insights from Gareth Packham, Director of Information Security and Data Protection at Save the Children International (SCI), and Sean Costigan, Managing Director of Resilience Strategy at Red Sift.

Watch the informative discussion with Sean and Gareth here.

The cybersecurity landscape for Nonprofits

Charities and nonprofits continue their digital transformation while handling significant amounts of sensitive data, including personal (PII) and financial information of donors, beneficiaries, and employees. Protecting this data is crucial not only for maintaining trust but also for complying with domestic and international data protection regulations like GDPR. However, the unique operational constraints of nonprofits, such as limited budgets and resources, make cybersecurity a formidable challenge.

Data breaches pose a constant threat, with the number of publicly known breaches increasing 20% in 2023, putting personal and financial information at risk of exposure. A breach can result in severe financial losses, damage to reputation, and erosion of trust, along with legal repercussions. Ransomware attacks have also spiked, with payouts totaling over $1 billion USD in 2023. These attacks can cripple an organization’s operations, locking down critical data and systems until a ransom is paid, and nonprofit organizations have been frequent targets. 

Cybercriminals often succeed because organizations have failed to do the basics right. In other instances, more sophisticated bad actors may be seeking to do reputational damage to nonprofits or generate intelligence about their activities. For nonprofits, phishing remains a common method for cybercriminals to deceive employees into revealing sensitive information, often leading to significant security breaches.

But many nonprofits struggle to allocate sufficient funds and resources to cybersecurity, leading to vulnerabilities in their defenses which some have dubbed a “cyber-poor /target rich” environment.  In addition, globally the cybersecurity field is experiencing a significant talent shortage, making it difficult for nonprofits to find and retain skilled professionals. 

Key questions for cybersecurity and risk experts

To further explore these critical issues, Gareth Packham and Sean Costigan addressed the following key questions:

How can charities and nonprofits effectively manage and mitigate the risks associated with data breaches to protect sensitive personal and financial information? 

In what ways can nonprofits enhance employee training and their security culture to improve resilience against cyber threats? 

What strategies can nonprofits implement to improve resourcing for cybersecurity and prevent cybercrime, particularly ransomware attacks? 

How can nonprofits assess and secure their systems against vulnerabilities introduced by third-party services and vendors? 

How can organizations work together with government and vendors to improve cybersecurity for nonprofits?

Cybercriminals are profiting off Nonprofits

The Red Cross uncovered a significant data breach in 2022, which exploited an unpatched vulnerability and compromised the personal data of over 500,000 vulnerable people. This incident highlighted the severe implications of data breaches, including potential harm to individuals and damage to the organization’s reputation.

Another notable example is the cyber attack on the American Cancer Society in 2019. Hackers gained access to the organization’s credit card processing system, leading to the theft of credit card details that were either sold or used in further fraud. This attack not only caused financial loss but also eroded donor trust.

In 2024 the Federal Trade Commission filed a complaint against Blackbaud, an organization that provides “data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organizations.” In 2020 Blackbaud suffered a breach – apparently due to lax user controls – that compromised the personal information of millions of consumers. The breach had cascading and lasting effects for thousands of nonprofit organizations.

In May 2024, the US government released a cybersecurity advisory that highlighted North Korea’s exploitation of improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. Many US-based nonprofits were caught unawares, allowing North Korean attackers to deliver spear phishing through spoofed emails. The cleverness of the campaign and exploit made it seem as if these emails came from a legitimate domain’s email exchange. 

Advanced persistent threats also target nonprofits, representing long-term targeted attacks aimed at stealing sensitive information or defrauding donors and others over extended periods. Here too, social engineering may also trick individuals into divulging confidential information or performing actions that compromise security.

These examples underscore the urgent need for robust cybersecurity measures in the nonprofit sector. 

Strategies for strengthening cybersecurity in Nonprofits

Here are some key takeaways recommended for nonprofits to enhance their cybersecurity posture:

  • Effective management of data breach risks involves both technological and human elements. Nonprofits should take advantage of frameworks and guidance to get policies in place. 
  • Technological solutions complement implementation of robust encryption, multi-factor authentication, regular security audits, diligent backups, and strong access controls to protect sensitive information. 
  • Additionally, fostering a trust-based culture of security awareness is crucial. Employees should be trained to recognize potential threats and understand the importance of safeguarding data. Developing a strong security culture where everyone feels responsible for cybersecurity can significantly reduce the risk of breaches and add to resilience.
  • Nonprofits can learn from each other and organize regular workshops and simulations to keep each other informed about the latest cybercrime tactics and security best practices. 
  • Governments offer rich resources, such as the UK’s Cyber Essentials or the US NIST Cybersecurity Framework. Furthermore, many trusted cybersecurity vendors offer non-profit pricing.

Conclusion

As their digital estates grow, nonprofits need to prioritize cybersecurity as an enterprise risk. While funds are often limited, investing in training and essential security tools like email and domain protection can prevent costly incidents that affect trust and reputation. Exploring partnerships and grants specifically for cybersecurity can also provide additional resources. To mitigate risks associated with third-party services, nonprofits may seek to conduct thorough risk assessments and due diligence before engaging with vendors. 

Nonprofits may also consider purchasing cyber liability insurance, but that requires a careful assessment of an organization’s specific risks and needs. Factors such as the potential financial impact of cyber incidents, existing security measures, and the organization’s overall risk tolerance should influence this decision. Remember: insurance can provide a valuable safety net, but it should complement, not replace, good cybersecurity practices.

As nonprofits like Save the Children continue their critical work, safeguarding sensitive data and maintaining trust is paramount. By addressing the multifaceted challenges of cybersecurity through in-depth defense, strategic planning, employee training, technical means, and robust risk management, nonprofits can better protect themselves and ensure the continuity of their vital missions.

Watch here

PUBLISHED BY

Sean Costigan

7 Jun. 2024

SHARE ARTICLE:

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more