Cyber-poor, target-rich: The crucial role of cybersecurity in nonprofit organizations

In today’s volatile international environment, nonprofit organizations play a central role in providing humanitarian relief and protecting the human rights of over 1 billion vulnerable individuals worldwide. Nonprofits regularly ensure the delivery of essential services in complex emergencies, such as the provision of healthcare, access to food and water, sanitation, and other social services that are critical for marginalized communities trapped in conflicts and natural disasters. However, as nonprofits collect and retain more beneficiary data, receive donor funds through digital channels, and manage key operations via internet-connected systems, their vulnerability to cyberattacks has increased in the past few years. This is due to the fact that nonprofits come across as cyber-poor, target-rich to cyber criminals. Cyber-poor as they are an easy target from a technical perspective, and target-rich as the sector raises over $1 trillion annually to deliver programs that bring life saving assistance and protection to people in need.¹

While cybersecurity is a problem for all industries, it has become a particular challenge for nonprofits. Nonprofits operate on well-defined and often limited budgets, dedicating most of their funds to fulfilling their mandates. This makes it difficult for nonprofits to attract the cybersecurity talent needed to stay secure. Beyond funding, one of the main challenges nonprofits face is that their leaders often lack the time – and in many cases the awareness – to carry out the extensive research necessary to implement robust cybersecurity governance measures aligned with their organization’s operational reality. Furthermore, few donors require their grantees, and allow them, to invest time and funding on cybersecurity issues, leaving them, and their beneficiaries, vulnerable.

The digital attack surface of NGOs has been growing considerably in the past decade. In recent years, this was accelerated by two main factors. First, the COVID-19 pandemic has forced many NGOs around the world to digitalize their operations in order to ensure continuity. In the past, digital technologies were not a priority for many NGOs, mostly due to expenses and the resources required². During the pandemic and in its aftermath, digital development was not only a necessity, but it became part of the NGOs’ strategy, introducing a permanent change in the way they work, communicate, fundraise, or deliver services. Second, while digitalizing their services, very few NGOs have developed their own products and platforms. Instead, most of them use third party services to assist them with the digital tools they require, while exposing them to a whole set of threats and vulnerabilities.

As such, according to Microsoft’s 2021 Digital Defence Report, nonprofit organizations have become the second most targeted sector by cybercriminals, accounting for 31% of all notifications of nation-state attacks against organizational domains, as detected by Microsoft.³ A recent research study conducted by the CyberPeace Institute in 2023 amongst Geneva-based nonprofits, highlighted that 41% of these organizations have been the victim of a cyberattack in the past few years. The same study states that 56% of NGOs do not have a budget allocated for their cybersecurity needs, while 70% of them do not believe to have the knowledge, skills, and resilience necessary to respond to a cyberattack.⁴

Without adequate cybersecurity safeguards in place, nonprofits risk severe disruption to their services, irreparable damage to vulnerable populations who rely on them, and the erosion of public trust that could undermine their fundraising prospects. Prioritizing cybersecurity is no longer an option but an imperative for nonprofits. As such, when assessing the criticality of cybersecurity for nonprofits, three overarching issues stand out, namely the operational impact of cyberattacks, the safety of beneficiary and donor data, and ultimately the overall financial impact of cyberattacks on nonprofits.

Operational Impact

One of the most immediate and tangible consequences of a cyberattack on nonprofits is the disruption of day-to-day operations. In the event of a successful attack, nonprofits may find themselves locked out of their own systems, unable to access vital data, and facing the daunting task of restoring operations. The downtime resulting from such disruptions can hinder program delivery, compromise project timelines, and erode the trust of stakeholders. 

In early 2020, an NGO fell victim to a website defacement attack. Their website serves as a central platform for communication with partners and beneficiaries. The exact timing of the attack remains uncertain, as it was discovered during a period of reduced monitoring over the winter holidays. Yet, when trying to connect to the website, they noticed that they were automatically redirected to a Chinese marketplace website. Unfortunately, the organization did not have a backup of their website. Hence, they were required to invest in the full reconstruction of the website, which took around nine months to complete. The organization does not believe that they were deliberately targeted by the cyberattack. Instead, it appears that the attackers aimed to generate traffic for the Chinese website. This nonprofit works with hundreds of different stakeholders to ensure accountability, transparency, and oversight of international humanitarian standards.

In January 2020, a nonprofit staff member was checking their emails and accidentally opened a PDF file containing malware, leading to the complete encryption of their data, by a threat actor. ⁵The perpetrators used a generic email with the PDF in attachment to launch the attack. The infection initially started on one workstation and subsequently spread to the organization’s server. The server stored crucial data, including booking information, financial and accounting data, and personal data of staff members. The attackers demanded a considerable sum of money, in bitcoin, for the decryption of the data. The attack involved a ransomware referred to as REvil (Ransomware Evil). The charity chose not to engage with the cybercriminals or to pay the ransom demanded. However, while the last backup of their data was successful, it had not been updated with the last weeks’ worth of operational information, which was lost as a result. This charity acts as a central hub for the community it serves, providing a safe space for marginalized communities to express themselves.

Another example of operation impact stems from the context of the ongoing conflict in Ukraine, where the CyberPeace Institute has identified that a total of 54 nonprofit organizations have been the target of various cyberattacks. The nonprofits vary in size and work in different sectors, ranging from humanitarian and development aid to human rights, justice, and environmental issues. Distributed Denial of Service (DDoS) attacks seem to be the most predominant ones. A DDoS attack on a nonprofit organization can have severe consequences, impeding its ability to operate effectively and serve its mission. Such attacks overwhelm the organization’s website or network infrastructure with a flood of malicious traffic, rendering online services inaccessible to legitimate users. This can disrupt communications with stakeholders, hinder fundraising efforts, and potentially erode trust among donors and beneficiaries. Moreover, the financial burden of mitigating the attack and implementing robust cybersecurity measures can strain resources that are already limited, by diverting funds away from critical programs and services, thereby exacerbating the negative impact on the organization’s ability to fulfill its objectives.

Thus, as nonprofits rely on seamless operations to their services, delays caused by cyberattacks have a real-world impact on the vulnerable communities these organizations serve. Nonprofits might find themselves diverting valuable resources to address the aftermath of a cyberattack, impacting the allocation of their already limited funds and personnel working on ongoing projects. This diversion of resources risks compromising the organization’s ability to fulfill its mission in the long-term.

Safeguarding Beneficiary and Donor Data

Many nonprofits manage databases containing extensive personally identifiable information (PII) on the recipients they serve, including financial background, family details, medical history (storing personal health information or PHI), and more. In addition, some of the data they collect can be related to people in vulnerable situations – i.e., related to their status, those who experience detention, ill-treatment, and torture, missing people or data held on individuals who could be considered persons of interest by some authorities or state actors. They also handle donor tax identification numbers, payment information, and personal contact details. 

A single breach of these stores of highly sensitive data can have disastrous effects – from identity theft to disenfranchised populations losing access to critical services because their confidentiality was violated. For instance, in vulnerable communities where individuals may suffer from illnesses, such as AIDS, exposure of their personal information can lead to social exclusion and stigmatization. Additionally, there’s the threat of extortion, with criminals potentially exploiting breached data to extort money from individuals to prevent the exposure or exfiltration of their data. Moreover, the gravest concern lies in repressive regimes gaining access to the personal data of persons of interest, including their families. This could lead to physical attacks, espionage, kidnapping, or even murder. 

According to the latest CyberPeace Analytical Report, 68% of nonprofits participating in the research have experienced a data breach in the past three years. ⁶In January 2022 the cyberattack on the International Committee of the Red Cross (ICRC) was the latest high-profile breach to showcase how critical cybersecurity has become for nonprofits. Personal information belonging to more than 500,000 people has been exposed after what was called a “highly sophisticated” hack.⁷ The attack targeted the “Restoring Family Links” program run by the ICRC. This program helps to restore and maintain contact between family members who have been separated due to conflict, natural disasters, migration, or other humanitarian crises. It provides services such as tracing missing relatives, facilitating messaging between family members, and supporting family reunification efforts. ICRC’s “Restoring Family Links” program is an essential component of their humanitarian work aimed at alleviating the suffering of individuals affected by crises around the world. According to the ICRC, the attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat (APT) groups. The ICRC also reiterated their call to the hackers to not share, sell, leak or otherwise use this data, as people’s lives might be put at risk.

Another example of inadequate data handling, dates to 2016, when the personal health information (PHI) of more than 550,000 individuals who donated blood to the Australian Red Cross were breached and leaked. The incident was the result of human error as well as poor data handling and storage. The file, containing donor information, was located on a development website that was left unsecured by a contracted third party who develops and maintains the Australia’s Red Cross website.⁸ In the aftermath of the breach, debates were started around the organization’s overall data security practices. In parallel, the organization has noticed a decrease in their numbers of blood donors. As such, data leaks not only threaten but often harm the lives and livelihoods of real people. Furthermore, the reputational damage and erosion of public trust stemming from such incidents could irrevocably devastate donor relationships and the viability of future operations. 

Financial Impact of Cyberattacks 

It is expected that within the next year, the costs associated with cybercrime will increase to more than $10.5 trillion. ⁹More precisely, it is believed that the damage inflicted by cyberattacks will be exponentially larger than that of natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.¹⁰ Cybercrime costs include damage and destruction of data, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems. In this instance, while nonprofits may not generate revenue in the same way as for-profit, private businesses, they still face substantial financial losses due to cyber incidents. These losses can include direct costs such as expenses related to paying a ransom or investigating the breach, restoring systems and data, and potential legal fees or regulatory fines. Moreover, there are indirect costs such as loss of donor trust and disruptions to program delivery. As nonprofits rely heavily on public goodwill, a cyberattack can erode trust, leading to decreased donations and funding.

A first example stems from an NGO based here in Geneva, Switzerland. In September 2019, shortly after the summer holidays, the Finance department of this organization started following up on pending invoices. ¹¹They noticed that they were missing 23,000 CAD from a Foundation they were closely working with. The Finance team swiftly followed up with the Foundation, mentioning that the payment was not made. The Foundation returned to the Finance team confirming that they have paid, with proof of payment. This is when the NGO realized that they were the victim of a Man-in-the-Middle (MitM) attack. Upon further investigation, the NGO realized that the email had been tampered with when the Foundation provided banking information that did not match the original invoice. The attackers edited a PDF invoice and sent it with the exact wording as the original – yet, upon closer inspection the cybercriminals subtly altered the name of the organization and payment details. This incident occurred during a period when many employees were on holiday, reducing the likelihood of immediate detection.

In January 2020, Roots of Peace – a humanitarian nonprofit organization headquartered in San Francisco, California, US – was the victim of a sophisticated CEO scam. Upon their CEO’s return from an overseas trip to China, the charity learned that they had unwillingly transferred over $1 million to an unfamiliar bank account. Investigations revealed that the amount was transferred to an account in Hong Kong. The amount stolen by cybercriminals had a consequent operational impact. The organization was faced with the dismal choice of either closing their business or taking a personal loan from the bank to cover the loss. Taking into account the communities and vulnerable individuals depending on their support, Roots of Peace took a leap of faith and risked a personal bank loan, rather than turning their backs on the Afghan farmers and traders who were depending on them. The money stolen were dedicated to converting minefields into arable farmland in former war zones. Roots of Peace was able to recover some of the stolen funds, but to date, only $175,000 of the $1.34 million total stolen has been returned. ¹²Unfortunately, this is not an isolated case. Only in 2021 alone, CEO fraud caused $2.4 billion in losses to US businesses alone, according to the FBI Internet Crime Report.¹³

In the aftermath of such cyber incidents, some donors and beneficiaries often become hesitant to engage with nonprofits, fearing for the safety of their personal information. This disengagement can be particularly damaging for organizations dedicated to serving vulnerable populations, as it directly impedes their mission to make a positive impact on communities in need. Moreover, donors, upon learning about a cyberattack, may question the organization’s competence in safeguarding their financial contributions. The negative perception of nonprofits as unsafe stewards of funds can divert public resources away from the organization, hindering its ability to carry out essential programs. The loss of donor confidence, coupled with a tarnished public image, can have long-lasting repercussions, blocking funding streams for years to come. 

The Way Forward

Cybersecurity should not be viewed as an isolated investment, but rather a long-term enabler for nonprofits to leverage technology safely and sustainably to drive positive social impact and change. By recognizing cybersecurity risks as threats to the continuity of essential operations, privacy of vulnerable communities, and institutional viability over the long-term, nonprofit leadership and their donors have the choice to invest in their digital resilience, by embedding cybersecurity in their initiatives from the ground up.

The CyberPeace Institute recognizes the growing need of nonprofit organizations for accessible cybersecurity services to improve their digital resilience. Created in 2019, the Institute delivers free cybersecurity assistance to more than 250 nonprofit organizations through its flagship program – the CyberPeace Builders – which brings together corporate volunteers from around the world. The program offers nonprofits access to a self-assessment tool to measure and identify actionable steps to strengthen their digital resilience. 

Get in touch to learn more!