“We do not attack health care, education, charitable organizations, [and] social services,” said a representative of LockBit 2.0 (a prominent cybercrime gang) in an interview with the Russian YouTube channel OSINT earlier this year.
As honorable as that makes cybercriminals sound, a glance at recent news headlines tells a different story. From the United States to Australia to Ireland, all kinds of public service organizations have been affected by cybercrime during the past twelve months. Overall, more than 50 percent of NGOs now report that they have been targeted by a cyberattack. What this means is that, as long as hackers can make money from breaching an organization’s cybersecurity, no sector is off limits, regardless of the charity’s or NGO’s mission.
NGOs and nonprofits are easy targets
For any cybercriminal, the ideal victim is not an organization with vast resources but one that is easy to hack and has a lot to lose when its network is breached. Unfortunately, most NGOs and nonprofits more than fit this bill. According to a survey by CohnReznick, more than two-thirds of nonprofits failed to assess their levels of cybersecurity risk. And a 2018 study by NTEN found that eight in ten nonprofits didn’t have a cybersecurity policy in place.
Not having cybersecurity policies and procedures means that security basics more often than not are neglected. For example, in the NTEN study, more than half of nonprofits admitted that they don’t require multi-factor authentication to log into online accounts. The ramifications can be easily seen in the real world: In 2019, the nonprofit People Inc., which provides critical services like housing, health care, and employment to families, seniors, and individuals with developmental disabilities, suffered a data breach, which allowed an unauthorized person to access the email accounts of two employees. As a result, People Inc’s current and former clients’ personal data, including their names, Social Security numbers, medical information, and bank account information were compromised.
Weak passwords are just one potential entryway for hackers; phishing scams are another. One of the most common attack vectors, phishing accounts for 1 percent of all email traffic (or three billion phishing messages a day). While phishing scams come in many different forms, CEO fraud, where an attacker impersonates someone higher up in order to get the victim to transfer money or share sensitive information with them, is especially popular. So are business email compromise (BEC) attacks. In 2021, One Treasure Island, a nonprofit that connects resources with those that need them, lost $650,000 to this type of fraud. Hackers compromised the email account of the nonprofit’s third-party bookkeeper and, using addresses similar to those of employees, inserted themselves into existing email chains where they pretended to be individuals from the organization.
Data breaches are devastating for both nonprofits and their staff
Although as many as 84 percent of nonprofit professionals are happy with their roles, the nature of their jobs makes them targets for hackers and individuals who disagree with their organization’s cause. For example, in 2015, anti-abortion activists hacked into Planned Parenthood’s website databases and siphoned away employee names and email addresses. Those personal data were then posted online — a terrifying prospect for any nonprofit employee.
Seeing how 79 percent of respondents in a 2014 Pew Research Center survey find online harassment upsetting, incidents like this could make NGO and nonprofit employees rethink their career choice — if not their purpose in life. Victims of cyber harassment and stalking can also experience anxiety, panic attacks, depression, and suicidal ideation, not to mention decreased productivity. At the very least, data breaches can lead to absenteeism and under-performance.
In addition to finding it difficult to attract staff, nonprofits that suffer data breaches may also struggle to get funding. Both institutional funders and individual donors are likely to reconsider supporting organizations that could potentially put their own information at risk. In other words, trust is the most critical nonprofit resource that a cyberattack can damage. In a cybersecurity-focused survey of charities by IPSOS, the majority of respondents said that trust is vital to a charity’s survival. If it dissipated, it could ultimately mean that the nonprofit in question would no longer be able to fulfill its purpose.
How NGOs and nonprofits can enhance their data privacy
Most organizations can dramatically improve their security by ensuring that they have their cybersecurity basics in place. At the very least, every nonprofit should regularly update all their devices, software, and systems, have a strong password policy, and restrict the use of personal laptops and mobile phones. That last point is especially important in our work-from-home reality. According to the NTEN study mentioned earlier, more than two-thirds of nonprofit workers used their unsecured devices to access organizational files and emails. Unsurprisingly, 80 percent of security leaders said that their organization was now more likely to be breached thanks to remote work.
That being said, employee training is just as vital, even if many nonprofits don’t seem to think so. In a study by NTEN and Microsoft, 59 percent of nonprofits admitted that they didn’t provide cybersecurity training to their employees. A further 66 percent said that they had never undergone a threat assessment exercise or drill. Of those who had, fewer than half said they learned about the areas where their behavior mattered.
Since attacks are becoming more personalized, NGOs and nonprofits, as well as the people working for them, need to make sure that they’re not accidentally giving malicious actors more ammunition. For example, a personal social media post about a pet may provide hackers with a clue about that person’s password. Considering that 44 percent of Americans use personal passwords for work, even seemingly harmless social media posts could give a threat actor an easy way into a nonprofit’s system.
Similarly, a phishing email that references an employee’s personal or professional life (for example, their hobbies or the event they’re about to go to) is more likely to be successful. As a result, NGOs and nonprofits should aim to foster a culture of privacy by encouraging employees to delete their profiles from data broker sites and keep their social media posts private.
Too often, nonprofits neglect data security in favor of focusing on tasks that appear more important. However, it’s crucial to remember that if data security falls by the wayside, it may become impossible to carry out those tasks and fulfill their missions.
This article was first published on Candid by Rob Shavell. Rob is co-founder and CEO of Abine / DeleteMe (The Online Privacy Company), which helps individuals delete their profiles from data broker sites and keep their social media posts private.