Cybercrime is a serious threat to all types of organizations across the globe. Admittedly, cyberattacks only seem to target businesses. But that’s only because there are generally more businesses than non-business organizations. So, statistically, businesses experience and report more cyberattacks than other institutions. The truth is, cyberattacks are completely indiscriminate.

Many nonprofits are convinced they’re not attractive targets to hackers – maybe because they are too small, work with little data, or barely reserve any money. But hackers never see it that way.

Nowadays, any data is valuable. For instance, even a handful of stolen personal information records, emails, or login credentials can be the gateway to more devastating attacks. Plus, hackers now use sophisticated bots and crawlers to scour the web for vulnerable sites. These bots get to work at the first opportunity of potential exploit, regardless of the kind of site or its owner.

Let’s shed some light on cybercrime against non-profits for perspective. An annual survey conducted in the UK found that about a quarter (26 percent) of charities suffered a cyberattack in 2020. And this is not just a UK problem either. In January 2021, Oxfam Australia announced a data breach after unauthorized access to the charity’s database containing sensitive supporters’ information. In February 2020, Blackbaud, a cloud provider for non-profits, was hacked as part of an elaborate ransomware attack. The incident, which went undetected until mid-May, exposed volumes of sensitive data from several organizations.

Why are nonprofits vulnerable to attacks?

News headlines about nonprofits falling victim to cybercrime make a strong statement for these organizations to rethink cybersecurity. Similar to for-profit institutions, charities also carry out business-like transactions and operations involving data. In fact, some nonprofits actually collect, store, exchange, and manipulate more sensitive information than they realize. They do this through:

  • Financial transactions: Processing donations, selling merchandise, and collecting fees for joining events or supporting various courses. These transactions end up capturing personal financial data such as banking and credit card details.
  • Human resource management: Although some non-profits rely heavily on volunteers, many employ full-time workers. This means collecting employee data to manage identification, benefits, and compensation (payroll, insurance, and other employee welfare perks).
  • Outreach and marketing: Rallying members of the public, sensitization, and spreading a charity’s awareness sometimes involve certain aspects of digital marketing such as emailing, filling online forms, and using social media.

There is no problem with collecting donor, employee, and marketing information. The only concern is that many nonprofits lack robust cybersecurity measures to protect this data. According to NTEN, a shocking 80 percent of nonprofits don’t have policies in place to address cyberattacks. And 70 percent of them have never run a single vulnerability assessment to evaluate their cyber risk profile.

Sadly, despite handling vast volumes of sensitive information, most nonprofits lack the cybersecurity awareness, technical skills, and resources to build effective cybersecurity frameworks. That’s why these organizations fall easy and rewarding prey to cybercriminals.

What are the potential cyber threats to nonprofits?

Non-profit organizations face some rather peculiar cybersecurity risks compared to other types of institutions. Here’s a list of common attack vectors that every non-profit should be aware of and fully prepared to mitigate:

Unsecured donations

Nonprofits depend on multiple payment channels to receive donations and other funds. These channels might be vulnerable to attacks, especially if they’re online-based. Also, hackers can disguise themselves as donors in search of exploitable loopholes.

Volunteer access

Volunteers don’t go through as much scrutiny or training as paid employees. Yet, some of them end up with unwarranted security clearances and access to digital resources. Not all volunteers are well-intentioned or security cautious.

Social engineering

Social engineering attacks such as phishing, pretexting, baiting, and quid pro quo can be successfully used to dupe unsuspecting employees and supporters into compromising an organization’s cybersecurity.

Ransomware and malware attacks

Ransomware incidents rose by 62 percent between 2019 and 2020. The growing prevalence, sophistication, and severity of these and other malware-based attacks are felt across all industries, including government, learning, and nonprofit sectors.

Forced downtime

Parties who disagree with an organization’s course or mission may sabotage their operations by flooding or crashing their online systems. These types of attacks are more likely to target nonprofits focused on touchy religious and social-political affairs.

Proven ways to improve cybersecurity for non-profits

Despite the unique risk factors, nonprofits can still maintain a strong security posture with a bit of effort and resourcefulness. Here are a couple of ways that non-profits could stay ahead of cybercriminals:

Restrict privilege

Reduce the number of people with high-level access to secured resources to just a few trusted individuals. Also, every employee, volunteer, donor, or partner should only have access to the data and digital tools pertaining to their roles.

Keep a dependable data backup and recovery system

A reliable and easily recoverable data backup system serves as the last line of protection against data loss. It ensures data availability and integrity at all times, even in the face of natural disasters, cyberattacks, equipment failure, and accidental deletion.

Strengthen user authentication

User account security and authentication have already evolved beyond the username-password combination. Passwords alone are too insecure. So, many companies combine the traditional login style with multi-factor authentication (MFA). Yet more than half of nonprofits don’t use MFA to grant online access. MFA is a multi-layered authentication method that, in addition to the correct credentials, also requires extra tokens such as geolocation, biometrics, and personal information to prove user identity during login.

Install antimalware and encryption tools

Cybersecurity tools such as antimalware, antivirus, firewalls, network monitors, and intruder detection systems go a long way in alerting users to suspicious activities and stopping hackers in their tracks. Also, strongly encrypting data and software applications, especially on the cloud, shields valuable information against exposure, manipulation, and theft.

Educate staff and supporters on cybersecurity

In one way or another, most data breaches result from human error – negligence, malice, and innocent mistakes. The best way to eliminate human weakness from the security equation is to turn it into a strength through training. Every non-profit should educate its staff, donors, and partners on cybersecurity best practices, their roles in cybersecurity, and the importance of observing data protection guidelines.

Keep IT systems updated

Regularly updating software applications and upgrading hardware systems as needed is one of the easiest ways to wade off cybercriminals. Newer software versions usually come with more effective security policies and protocols. In fact, the main reason vendors release patches and updates is to fix known and unknown security vulnerabilities.

Bottom line

The main takeaway here is that no organization – big or small, for-profit or nonprofit – is immune to the dangers of cybercrime. But arguably, non-profits are more susceptible to cyberattacks since most of them have this false confidence in safety. Plus, most non-profits lag behind other organizations in adopting modern cybersecurity measures. Sadly, none of this makes the threats out there any less real. It’s high time that nonprofits stepped up their cybersecurity game.

Are you worried about the digital security state of your nonprofit organization? Softlanding can help. Our managed IT and professional services serve all kinds of organizations, including charities. Let’s talk about strengthening your organization’s cybersecurity posture and IT performance today.

Written By:


Softlanding is a long-established IT services provider of transformation, professional services and managed IT services that helps organizations boost innovation and drive business value. We are a multi-award-winning Microsoft Gold Partner with 13 Gold Competencies and we use our experience and expertise to be a trusted advisor to our clients. Headquartered in Vancouver, BC, we have staff and offices in Toronto, Montreal and Calgary to serve clients across Canada.

More By This Author