Protecting Nonprofits Through Cybersecurity Volunteering

Nonprofits are frequent targets of cyber attacks due to their access to sensitive information from high-risk communities and the large amount of money they raise each year. Criminals often manage to steal these funds because nonprofits lack basic security controls. A key obstacle for nonprofits is access to cybersecurity experts. 

Indeed, the United States has an employed cyber workforce of 1.1 million professionals, but over half a million jobs in the cybersecurity sector remain vacant throughout the country, with the predicted global talent shortage rising to 3.5 million by 2025. Nonprofit staff, with an average employee salary of $60,000, cannot afford to hire or retain cybersecurity experts earning double that amount. Awareness that the most vulnerable are not sufficiently protected has increased in the cybersecurity sector over the last few years, and solutions are starting to emerge. This article will explore a few before focusing on the talent shortage and cyber volunteering.  

The U.S. Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative just launched an initiative to “[s]trengthen protection of civil society organizations who are at higher risk of being targeted by foreign state actors through collaborative planning with key government and industry stakeholders.” This is in recognition that these communities are not well protected. The main challenges nonprofits face and the opportunities they can leverage include:

1. On the technology front, nonprofits can use discounted or free tech software via TechSoup, the Global Cyber Alliance (GCA) and companies like Cloudflare, Microsoft, Okta and many others, to not only improve the detection and respond to various types of attacks, but also to train staff and raise awareness. However, not all software solutions that nonprofits use have been designed with their needs in mind, and require configuration and maintenance over time. They can even provide a false sense of security and lead to risks. Nevertheless, there is no shortage of software solutions. 
2. On the process front, there is also a plethora of materials available to guide nonprofits through their cybersecurity journey, such as the Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG), the GCA mission-based toolkit or industry standards like the National Institute of Standards and Technology, ISO27001 and Cyber Essentials. But even with these guides, nonprofits need people to implement security controls.
3. Finally, on the people’s side, there is no clear path to a better tomorrow. Attracting cyber talent is generally out of reach due to the high salaries that experts demand. Upskilling staff through training offers a temporary solution, as retaining such expertise is hard. The way forward is to educate donors that cybersecurity is mission-critical. Until then, what can nonprofits do? 

Cyber Volunteers to the Rescue

A recent study published by U.S. law firm McDermott Will and Emery provides insights into a potential solution: cyber volunteering. The concept is not new: cyber volunteer reserves have been implemented in Estonia, France and the United States for over a decade. Cyber experts from all over the world rallied during the pandemic in the CTI league to exchange threat intelligence and support the Federal Bureau of Investigation. The study finds sustainability and scalability are difficult to achieve with volunteer initiatives that run on limited funding. On the contrary, one model stands out among the rest: the CyberPeace Builders.

The CyberPeace Builders are volunteers who help nonprofits through short-term cybersecurity engagements. Sustainability is achieved by working only with corporate volunteers and asking employers to contribute to the initiative out of their corporate social responsibility commitments. While this may sound counterintuitive, corporations have long been looking for skills-based volunteering opportunities for their cyber workforce. Volunteering has been demonstrated to positively impact talent retention—a key problem in the cybersecurity industry. Working with corporate volunteers also allows the CyberPeace Institute to select reputable companies and leverage the trust they have in their employees.  

About 25 percent of the U.S. adult population volunteers each year. Of the 900,000 U.S. corporate cybersecurity experts, this could represent 18 million hours a year to help nonprofits. That’s 100 hours of free cyber consulting for 180,000 nonprofits. While this isn’t a definitive solution, it can temporarily bridge the current talent gap in nonprofit cybersecurity.

Today, over 1,000 CyberPeace Builders are helping more than 100 nonprofits worldwide, and several companies, like Okta, Rapid7, CapGemini, Splunk, Inditex, Mastercard, Microsoft, Logitech, WithSecure and Zurich, are sponsoring the initiative. Philanthropic donors such as Craig Newmark have also contributed with seed funding. The program is rapidly expanding internationally. 

Signing up as a volunteer or a company or a nonprofit takes only a few minutes and all the relevant information can be found here. 

Short-term Solutions for Long-term Impact

Established in 2019, the CyberPeace Institute manages the CyberPeace Builders program, documents how cyber attacks harm people and society, and advocates for policy solutions. As an example of the institute’s work at a local level, the CyberPeace Builders helped the institute document the impact of attacks on nonprofits in Geneva to provide evidence-based recommendations to the city authorities in terms of how to best support nonprofits in the long term. 

As a result, volunteering has both a direct, tangible impact for those nonprofits that take part in the program, as well as long-term systemic impact to secure the whole ecosystem. For public authorities, it is an opportunity to better protect the citizens who depend on local charities. It is also an opportunity to channel local cybersecurity volunteering into building resiliency for good as opposed to cyber militias. 

While nonprofits will likely face cyber threats and a workforce shortage for the foreseeable future, cyber volunteers have demonstrated their role in improving both.

Adrien Ogée is the Chief Operations Officer at the Cyber Peace Institute.