Why Nonprofits Have Become a Popular Target for Cybercriminals and How to Stop Them

man multitasking on a laptop with a phone at a busy donation center warehouse.Nonprofit organizations have become an increasingly attractive target for cybercriminals, and this disturbing trend shows no signs of slowing down. In this article, we will look at why bad actors find nonprofits such attractive targets and provide some practical actions that your nonprofit can take for optimal protection against this significant threat.

Revealing Statistics on the Growing Cyberattack Threat to Nonprofits

These statistics were reported by NTEN, BoardEffect, and CyberPeace.

  • 68% of nonprofits confirmed at least one data breach within the last three years.
  • More than 50% of nongovernmental organizations (NGOs) reported being targeted directly by cyberattacks.
  • Nonprofits and NGOs raise more than $30 billion a year, and 75% do not actively monitor their networks
  • 56% of nonprofits don’t require multi-factor authentication (MFA) to log into online accounts.
  • More than 70% of nonprofits have not run any vulnerability assessments to evaluate their potential risk exposure.

Notable organizations affected by recent cybercrime include the International Committee of the Red Cross, Save the Children International, RSPCA in the UK, Philabundance, and Water for People.

Why Are Nonprofits Being Increasingly Targeted?

Cybercriminals are currently targeting nonprofit organizations more than all industry sectors save one. The reason for their attention to nonprofits is a combination of opportunity and reward as described below.

Amount of sensitive donor information

The most important reason bad actors target nonprofits is because of the staggering amount of sensitive data from donors and members, which these organizations use and store. This data includes personal information such as social security numbers and financial information, which cybercriminals will use for identity theft and for unauthorized financial withdrawals and purchases.

Access through third-party vendors

image of cybercrime with encryption lock and warning symbols.Most nonprofits use a variety of third-party vendors to help them with essential functions such as fundraising platforms, data information systems, and cloud applications. Because of a lack of IT expertise, some nonprofits will collaborate with new partners without properly vetting their data security protocols. In addition, less than half of nonprofits have any policies or procedures to guide their data sharing activities with third parties.
Using third parties unavoidably opens up additional entry points to your organization’s network. As a result, cybercriminals are working constantly to identify weak links to nonprofit organizations through their third-party vendors.

Limited cybersecurity budget and protocols

According to the National Council of Nonprofits, 88% of America’s 1.3 million charitable nonprofit organizations operate on an annual budget of $500,000 or less. Unlike private companies with robust IT budgets, nonprofits normally have tight budgets with little available for the latest cybersecurity applications. Nonprofits also frequently used outdated devices and operating systems and don’t have dedicated cybersecurity resources.
Without IT security leadership, there is also a lack of cybersecurity policies and protocols to guide nonprofits in the event of cyberattacks. A report by CyberCommand states that nearly 70% of nonprofits do not have official policies and procedures in place to respond to a cyberattack. Acutely aware of this situation, cybercriminals are increasingly trying to exploit these significant vulnerabilities with new sophisticated attacks.

Insufficient cybersecurity training for staff and volunteers

In comparison to private companies, nonprofit organizations suffer from both a lack of sufficient cybersecurity training and the negative impact of volunteers working with their network. A glaring 71% of nonprofits allow their staff and volunteers to use unsecured personal devices when working on their network to access organizational data files.
A CyberCommand report notes that 90% of nonprofits do not provide regular training on cybersecurity for their staff. Without proper training, nonprofit staff and volunteers will have a challenging time recognizing phishing emails and other malicious activity, and they will not be adequately prepared to act after a network intrusion, data breach, or ransomware attack occurs.

Targeted for what they represent

Not all bad actors are working for a purely financial motive. There are some “hacktivists” as well as groups sponsored by nation-state governments that will target nonprofits to disrupt their activities and try to prevent them from fulfilling their missions. For example, CrowdStrike reported that there has been a significant increase in malware attacks against Ukrainian companies and media organizations, and nonprofits supporting humanitarian efforts in Ukraine have also increasingly suffered from cyberattacks.

Actions to Take to Improve Nonprofit Cybersecurity

Woman volunteering, manager checklist and food donation, NGO project or community service management or support. Nonprofit people or senior leader help, planning or registration documents for charityIn response to the growing threat of damaging cyberattacks, nonprofit organizations should take decisive measures to meet the growing cybersecurity challenge. The following bullet points outline important actions recommended by data security experts.

  • Invest in powerful antivirus tools, firewalls, and ZeroTrust cloud security architecture.
  • Perform a vulnerability assessment with a dependable IT Support partner.
  • Provide your staff and volunteers with thorough training on good cyber hygiene including regular tests to assess your vulnerability to phishing and other malicious activities.
  • Develop protocols and procedures to prevent and manage cyberattacks.
  • Ensure Multi-Factor Authentication (MFA) and strong password management policies are in place.
  • Limit staff access to sensitive personal client and employee information and consider verbal verification protocols for any significant financial transactions
  • Carefully vet all third parties that will have access to your networks and verify that their networks and systems are well protected.
  • Implement encryption methods and a secure website to protect your digital donation system.
  • Install robust backups and purchase cybersecurity insurance to mitigate the impact of any successful cyberattacks.

Work with an Experienced Cybersecurity and IT Support Partner

The most valuable recommendation we can give your nonprofit organization is to work with an experienced IT cybersecurity expert, such as Network Depot, to protect yourself against this increasing threat. Your IT partner will be with you every step of the way assessing your needs, filling your security gaps, providing constant monitoring, and upgrading your cybersecurity applications to keep your network secure. Your IT Support partner will help you select and implement the right cybersecurity tools and solutions that will work best for your nonprofit.

By understanding how and why nonprofits are being targeted and with the assistance of your trusted IT Support partner, your nonprofit organization will be confident that your operations and sensitive data are secure. With the peace of mind that your organization is well protected, your nonprofit will be able to better focus on achieving your unique mission.


Business IT Solutions

Network Depot has been providing professional IT Support for businesses in and around Reston, VA since 1991. We strive to give our clients Enterprise-level services and solutions at prices that work for small businesses.

Time and experience has helped us develop best practices and workflow procedures around a proactive philosophy designed to keep your focus on your business, not your technology.

Proven IT Experts

Our team of experts can become your outsourced IT department; responding to issues quickly, often before you even know about them. Your IT infrastructure is our priority!