Save the Children, a beacon of hope and change, has been dedicated to improving the lives of children for over a century. Founded in London, it now has a presence in 29 nations, employing 844 staff members in the UK alone and engaging over 3600 formal volunteers. As charities and nonprofits like Save the Children continue their mission-driven work, they face an ever-growing array of cybersecurity challenges.
In this blog post, we delve into these issues and explore solutions with insights from Gareth Packham, Director of Information Security and Data Protection at Save the Children International (SCI), and Sean Costigan, Managing Director of Resilience Strategy at Red Sift.
Watch the informative discussion with Sean and Gareth here.
The cybersecurity landscape for Nonprofits
Charities and nonprofits continue their digital transformation while handling significant amounts of sensitive data, including personal (PII) and financial information of donors, beneficiaries, and employees. Protecting this data is crucial not only for maintaining trust but also for complying with domestic and international data protection regulations like GDPR. However, the unique operational constraints of nonprofits, such as limited budgets and resources, make cybersecurity a formidable challenge.
Data breaches pose a constant threat, with the number of publicly known breaches increasing 20% in 2023, putting personal and financial information at risk of exposure. A breach can result in severe financial losses, damage to reputation, and erosion of trust, along with legal repercussions. Ransomware attacks have also spiked, with payouts totaling over $1 billion USD in 2023. These attacks can cripple an organization’s operations, locking down critical data and systems until a ransom is paid, and nonprofit organizations have been frequent targets.
Cybercriminals often succeed because organizations have failed to do the basics right. In other instances, more sophisticated bad actors may be seeking to do reputational damage to nonprofits or generate intelligence about their activities. For nonprofits, phishing remains a common method for cybercriminals to deceive employees into revealing sensitive information, often leading to significant security breaches.
But many nonprofits struggle to allocate sufficient funds and resources to cybersecurity, leading to vulnerabilities in their defenses which some have dubbed a “cyber-poor /target rich” environment. In addition, globally the cybersecurity field is experiencing a significant talent shortage, making it difficult for nonprofits to find and retain skilled professionals.
Key questions for cybersecurity and risk experts
To further explore these critical issues, Gareth Packham and Sean Costigan addressed the following key questions:
How can charities and nonprofits effectively manage and mitigate the risks associated with data breaches to protect sensitive personal and financial information?
In what ways can nonprofits enhance employee training and their security culture to improve resilience against cyber threats?
What strategies can nonprofits implement to improve resourcing for cybersecurity and prevent cybercrime, particularly ransomware attacks?
How can nonprofits assess and secure their systems against vulnerabilities introduced by third-party services and vendors?
How can organizations work together with government and vendors to improve cybersecurity for nonprofits?
Cybercriminals are profiting off Nonprofits
The Red Cross uncovered a significant data breach in 2022, which exploited an unpatched vulnerability and compromised the personal data of over 500,000 vulnerable people. This incident highlighted the severe implications of data breaches, including potential harm to individuals and damage to the organization’s reputation.
Another notable example is the cyber attack on the American Cancer Society in 2019. Hackers gained access to the organization’s credit card processing system, leading to the theft of credit card details that were either sold or used in further fraud. This attack not only caused financial loss but also eroded donor trust.
In 2024 the Federal Trade Commission filed a complaint against Blackbaud, an organization that provides “data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organizations.” In 2020 Blackbaud suffered a breach – apparently due to lax user controls – that compromised the personal information of millions of consumers. The breach had cascading and lasting effects for thousands of nonprofit organizations.
In May 2024, the US government released a cybersecurity advisory that highlighted North Korea’s exploitation of improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts. Many US-based nonprofits were caught unawares, allowing North Korean attackers to deliver spear phishing through spoofed emails. The cleverness of the campaign and exploit made it seem as if these emails came from a legitimate domain’s email exchange.
Advanced persistent threats also target nonprofits, representing long-term targeted attacks aimed at stealing sensitive information or defrauding donors and others over extended periods. Here too, social engineering may also trick individuals into divulging confidential information or performing actions that compromise security.
These examples underscore the urgent need for robust cybersecurity measures in the nonprofit sector.
Strategies for strengthening cybersecurity in Nonprofits
Here are some key takeaways recommended for nonprofits to enhance their cybersecurity posture:
- Effective management of data breach risks involves both technological and human elements. Nonprofits should take advantage of frameworks and guidance to get policies in place.
- Technological solutions complement implementation of robust encryption, multi-factor authentication, regular security audits, diligent backups, and strong access controls to protect sensitive information.
- Additionally, fostering a trust-based culture of security awareness is crucial. Employees should be trained to recognize potential threats and understand the importance of safeguarding data. Developing a strong security culture where everyone feels responsible for cybersecurity can significantly reduce the risk of breaches and add to resilience.
- Nonprofits can learn from each other and organize regular workshops and simulations to keep each other informed about the latest cybercrime tactics and security best practices.
- Governments offer rich resources, such as the UK’s Cyber Essentials or the US NIST Cybersecurity Framework. Furthermore, many trusted cybersecurity vendors offer non-profit pricing.
Conclusion
As their digital estates grow, nonprofits need to prioritize cybersecurity as an enterprise risk. While funds are often limited, investing in training and essential security tools like email and domain protection can prevent costly incidents that affect trust and reputation. Exploring partnerships and grants specifically for cybersecurity can also provide additional resources. To mitigate risks associated with third-party services, nonprofits may seek to conduct thorough risk assessments and due diligence before engaging with vendors.
Nonprofits may also consider purchasing cyber liability insurance, but that requires a careful assessment of an organization’s specific risks and needs. Factors such as the potential financial impact of cyber incidents, existing security measures, and the organization’s overall risk tolerance should influence this decision. Remember: insurance can provide a valuable safety net, but it should complement, not replace, good cybersecurity practices.
As nonprofits like Save the Children continue their critical work, safeguarding sensitive data and maintaining trust is paramount. By addressing the multifaceted challenges of cybersecurity through in-depth defense, strategic planning, employee training, technical means, and robust risk management, nonprofits can better protect themselves and ensure the continuity of their vital missions.
