Nonprofits are under attack.
If you’ve never lived through a ransomware attack, allow me to paint you a picture: The sun is shining through the clouds as you drive to work. Maybe you’re singing along to your favorite song. Greetings from your colleagues are as warm as the freshly brewed coffee in the kitchen. Soon, however, cheerful banter is replaced by worried murmurs. “Is anyone else having issues with the shared drive?” It soon becomes apparent that everyone is having the same issue. Resources that were available just a few minutes ago are gone, files are renamed and converted into strange formats, databases are locked, network printers are inaccessible. Your stomach turns.
Ransomware blocks access to an organization's data and systems until the organization pays the attackers’ ransom, costing precious time and money. These attacks are often executed through malicious email attachments that are designed to look innocuous.
Increasingly, nonprofits of all sizes are being targeted by cyber attacks including but not limited to ransomware. One of the reasons is that nonprofits often possess valuable data about donors, clients and employees but may be less likely than for-profit organizations to have modern cybersecurity programs in place. The proliferation of cloud-based technologies coupled with the move to remote work during the pandemic has dramatically increased the attack surface for cybercriminals. All of these factors combine to create a perfect storm for nonprofits trying to keep up.
Most nonprofits have not conducted comprehensive security risk assessments, so they do not truly understand the actual risks. Only 20% of nonprofits claim to have documented policies that address cyber attacks. Additionally, 56% of nonprofits state that they do not use multi-factor authentication (MFA) on any of their online systems.
Proper cybersecurity programs are hard to create and maintain even without the resource constraints that most nonprofits face, which is why it’s absolutely critical for nonprofit funders to support cybersecurity initiatives. This includes investing in ongoing training and education for nonprofit staff as well as appropriate technology tools.
Implementation of a cybersecurity program can be thought of as a continuous journey towards stronger cybersecurity. The journey begins with assessing each organization’s baseline security posture in order to fully understand what the next steps ought to be. The assessment phase should conclude with sound recommendations and remediation steps for the organization’s systems and digital spaces. The second phase of the journey involves designing frameworks, policies and implementation plans based on the results from the first phase. The third phase is execution: rolling out policies and procedures, implementing cybersecurity tools and services, and incorporating cybersecurity training into daily operations.
Grantees and funders must work together to prioritize cybersecurity across all platforms and processes. Here are three specific ways funders can help nonprofits avoid falling prey to cyber attacks.
1. Continue funding technology projects and emphasize the need for security
When funding technology projects, require and include funding for security controls. Ask questions in the application process that center around the organization’s ideas for securing the new platform or application during and after implementation. Funders should have knowledge of the design phase that was mentioned earlier in the article. To be clear, funders need to invest in security technology by increasing, not shifting, funding.
2. Provide your grantees with security services
Some foundations already do this, but it is important that more funders provide security services through a technology service provider. Providing cybersecurity assessment services to grantees is a great way to get them started on the first phase of the cybersecurity journey.
3. Help reduce the cost barrier
One of the biggest barriers for implementation and adoption of new technology, in this case cybersecurity technology, is cost. Investing in the implementation and ongoing maintenance phase of the cybersecurity program will ensure that nonprofits not only secure themselves now but take steps to ensure security in the future. The design phase will help inform the cost discussion, but there are several tools and training resources that can be used to create a “standard” that can be provided for funding opportunities.
As cyber attacks continue to become more relentless, ruthless and complex, the nonprofit sector needs to strengthen its cybersecurity posture proportionately. This should be a top priority not just for organizations but for the funders that support their work. What’s more, cybersecurity investment needs to be ongoing rather than one-and-done—nothing less than the very existence of nonprofits and their impactful programs is at stake.
Download Tech Impact's free guide "What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk."