The vital role of cybersecurity for Nonprofits: A deep dive 

Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the Children continue their mission-driven work, they face an ever-growing array of cybersecurity challenges.

In this blog post, we delve into these issues and explore solutions with insights from Gareth Packham, Director of Information Security and Data Protection at Save the Children International (SCI), and Sean Costigan, Managing Director of Resilience Strategy at Red Sift.

Watch the informative discussion with Sean and Gareth here.

The cybersecurity landscape for Nonprofits

Charities and nonprofits continue their digital transformation while handling significant amounts of sensitive data, including personal (PII) and financial information of donors, beneficiaries, and employees. Protecting this data is crucial not only for maintaining trust but also for complying with domestic and international data protection regulations like GDPR. However, the unique operational constraints of nonprofits, such as limited budgets and resources, make cybersecurity a formidable challenge.

Data breaches pose a constant threat, with the number of publicly known breaches increasing 20% in 2023, putting personal and financial information at risk of exposure. A breach can result in severe financial losses, damage to reputation, and erosion of trust, along with legal repercussions. Ransomware attacks have also spiked, with payouts totaling over $1 billion USD in 2023. These attacks can cripple an organization’s operations, locking down critical data and systems until a ransom is paid, and nonprofit organizations have been frequent targets. 

Cybercriminals often succeed because organizations have failed to do the basics right. In other instances, more sophisticated bad actors may be seeking to do reputational damage to nonprofits or generate intelligence about their activities. For nonprofits, phishing remains a common method for cybercriminals to deceive employees into revealing sensitive information, often leading to significant security breaches.

But many nonprofits struggle to allocate sufficient funds and resources to cybersecurity, leading to vulnerabilities in their defenses which some have dubbed a “cyber-poor /target rich” environment.  In addition, globally the cybersecurity field is experiencing a significant talent shortage, making it difficult for nonprofits to find and retain skilled professionals. 

Key questions for cybersecurity and risk experts

To further explore these critical issues, Gareth Packham and Sean Costigan addressed the following key questions:

How can charities and nonprofits effectively manage and mitigate the risks associated with data breaches to protect sensitive personal and financial information? 

In what ways can nonprofits enhance employee training and their security culture to improve resilience against cyber threats? 

What strategies can nonprofits implement to improve resourcing for cybersecurity and prevent cybercrime, particularly ransomware attacks? 

How can nonprofits assess and secure their systems against vulnerabilities introduced by third-party services and vendors? 

How can organizations work together with government and vendors to improve cybersecurity for nonprofits?

Cybercriminals are profiting off Nonprofits

The Red Cross uncovered a significant data breach in 2022, which exploited an unpatched vulnerability and compromised the personal data of over 500,000 vulnerable people. This incident highlighted the severe implications of data breaches, including potential harm to individuals and damage to the organization’s reputation.

Another notable example is the cyber attack on the American Cancer Society in 2019. Hackers gained access to the organization’s credit card processing system, leading to the theft of credit card details that were either sold or used in further fraud. This attack not only caused financial loss but also eroded donor trust.

In 2024 the Federal Trade Commission filed a complaint against Blackbaud, an organization that provides “data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organizations.” In 2020 Blackbaud suffered a breach – apparently due to lax user controls – that compromised the personal information of millions of consumers. The breach had cascading and lasting effects for thousands of nonprofit organizations.

In May 2024, the US government released a cybersecurity advisory that highlighted North Korea’s exploitation of improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. Many US-based nonprofits were caught unawares, allowing North Korean attackers to deliver spear phishing through spoofed emails. The cleverness of the campaign and exploit made it seem as if these emails came from a legitimate domain’s email exchange. 

Advanced persistent threats also target nonprofits, representing long-term targeted attacks aimed at stealing sensitive information or defrauding donors and others over extended periods. Here too, social engineering may also trick individuals into divulging confidential information or performing actions that compromise security.

These examples underscore the urgent need for robust cybersecurity measures in the nonprofit sector. 

Strategies for strengthening cybersecurity in Nonprofits

Here are some key takeaways recommended for nonprofits to enhance their cybersecurity posture:

  • Effective management of data breach risks involves both technological and human elements. Nonprofits should take advantage of frameworks and guidance to get policies in place. 
  • Technological solutions complement implementation of robust encryption, multi-factor authentication, regular security audits, diligent backups, and strong access controls to protect sensitive information. 
  • Additionally, fostering a trust-based culture of security awareness is crucial. Employees should be trained to recognize potential threats and understand the importance of safeguarding data. Developing a strong security culture where everyone feels responsible for cybersecurity can significantly reduce the risk of breaches and add to resilience.
  • Nonprofits can learn from each other and organize regular workshops and simulations to keep each other informed about the latest cybercrime tactics and security best practices. 
  • Governments offer rich resources, such as the UK’s Cyber Essentials or the US NIST Cybersecurity Framework. Furthermore, many trusted cybersecurity vendors offer non-profit pricing.

Conclusion

As their digital estates grow, nonprofits need to prioritize cybersecurity as an enterprise risk. While funds are often limited, investing in training and essential security tools like email and domain protection can prevent costly incidents that affect trust and reputation. Exploring partnerships and grants specifically for cybersecurity can also provide additional resources. To mitigate risks associated with third-party services, nonprofits may seek to conduct thorough risk assessments and due diligence before engaging with vendors. 

Nonprofits may also consider purchasing cyber liability insurance, but that requires a careful assessment of an organization’s specific risks and needs. Factors such as the potential financial impact of cyber incidents, existing security measures, and the organization’s overall risk tolerance should influence this decision. Remember: insurance can provide a valuable safety net, but it should complement, not replace, good cybersecurity practices.

As nonprofits like Save the Children continue their critical work, safeguarding sensitive data and maintaining trust is paramount. By addressing the multifaceted challenges of cybersecurity through in-depth defense, strategic planning, employee training, technical means, and robust risk management, nonprofits can better protect themselves and ensure the continuity of their vital missions.

Watch here

PUBLISHED BY

Sean Costigan

7 Jun. 2024

SHARE ARTICLE:

Recent Posts

VIEW ALL
DMARC

Mail Check is Changing: What UK public sector organisations must know about…

Jack Lilley

The National Cyber Security Centre (NCSC) has suggested a change to Mail Check services starting on 24 March 2025. This change mainly involves ending DMARC aggregate reporting. This change comes as a measure to expand the services provided by Mail Check to any UK based organisation, while also limiting the cost and complexity of…

Read more
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more