Nonprofit organizations have cybersecurity vulnerabilities, too!

Over the past decade, we have seen a significant increase in the number of available cybersecurity job positions. Government agencies and private corporations alike have recognized the need for strong defensive and proactive cybersecurity capabilities to ensure the safety of their data and continuity of operations. Strong enrollment numbers in university programs as well as cybersecurity boot camps and shorter duration online courses prove that there are students of all ages interested in cybersecurity roles. Often overlooked in the conversations about the need for cybersecurity roles and training, though, is the need to provide cybersecurity support to nonprofit organizations and other social impact organizations.

Nonprofit organizations often hold incredibly sensitive data. In addition to the traditional Personally Identifiable Information (PII)—including names, social security numbers and addresses—nonprofits often store data about preferences, intimate details of vulnerable personal stories and information on donors. Additionally, many nonprofit organizations work closely with government agencies, sometimes sharing specific data between organizations or accessing specific tools within those agencies. In an increasingly fractured political environment, access to these data and tools puts nonprofits at risk. A nonprofit providing services to recent immigrants, for example, may store information on both residences and gathering places of their clients.

Unfortunately, many nonprofit organizations are not financially resourced for general technology and data solutions, let alone cybersecurity practices. According to a 2018 study, only 20 percent of nonprofits have a policy in place to address cyber attacks. The same study found that less than half of nonprofits have internal procedures or policies in place to manage how data is shared with external agencies.

We do not need to merely imagine the vulnerabilities, as cyber attacks on nonprofit organizations are happening. In 2021, the International Committee of the Red Cross disclosed that they had been targeted by a cyber attack that had “compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.” Also in 2021, One Treasure Island fell victim to a cyber attack where “criminals siphoned $650,000 from the community organization” working to provide affordable housing projects.

Fortunately, entities and initiatives are being created to provide critical cybersecurity support to nonprofit organizations. CyberPeace Institute supports nonprofit organizations, traces cyber attacks and engages in advocacy as it carries out its mission “to ensure the rights of people to security, dignity and equity in cyberspace.” The Consortium of Cybersecurity Clinics is an “international network of university-based cybersecurity clinics and allies [that helps] organizations in our communities build resilience against digital threats.” These efforts are significant, but more can be done to protect nonprofit organizations and the missions they carry out.

What can you do to help protect organizations providing critical services?

• If you are a cybersecurity professional, consider donating time and resources to support a nonprofit organization in conducting a cybersecurity audit of their systems or identifying general cybersecurity training materials to provide to staff and volunteers.
• If you are a cybersecurity professional, consider working for a nonprofit organization or for a tech company that provides support to nonprofit organizations.
• If you are a volunteer at or a supporter of a nonprofit organization, consider asking the nonprofit organization about its use of secure passwords, two-factor authentication and other simple security measures.

It is clear that while nonprofit organizations are vulnerable to cyber attacks because of the sensitive data they collect and store, there are many actions that can be taken to strengthen the technical infrastructure of these organizations. By investing time and talent into the nonprofit cybersecurity space, the institutions providing critical services and resources can be protected.

About the Author:

Afua Bruce is the founder and principal of ANB Advisory Group LLC, a consulting firm that works with organizations that fund, develop or implement responsible tech and data solutions. Bruce is also the author of The Tech That Comes Next: How Changemakers, Philanthropists, and Technologists Can Build an Equitable World. Prior to founding ANB Advisory Group, Bruce served as the executive director of the White House’s National Science and Technology Council, where she oversaw a number of federal interagency working groups, including groups focused on cybersecurity research and development.