What is Cybersecurity for Nonprofits?
Nonprofits may not be front of mind as high value targets for cybercrime, but they have many features and assets that are desirable to cyberattackers. One important asset that many nonprofits have is personally identifiable data (PPI) such as full names, addresses, social security numbers, driver’s license numbers, passport information, email addresses, phone numbers, information on kin, other sensitive personal information1. Nonprofits may also have data on many different populations including clients, patients, volunteers, government contacts, and donors. Beyond sensitive personal information, some nonprofit organizations may also have exceptionally sensitive information, such as medical and financial data, or confidential data regarding issues such as immigration, drugs, war, crime, or human rights issues. Regardless of the size of a nonprofit or the perception of the security levels of the PPI it retains, even the smallest nonprofit that works with a bigger nonprofit or government entity can be a target for cyberattackers and a threat to the larger organizations that they do business with.
While many nonprofits are attentive to the security of their physical space, such as their buildings and operations, they may not treat their cybersecurity with the same levels of consistent attention and commitment to maintenance. In order to ensure that people and data exist safely and securely within a nonprofit, it is critical for organizations to develop a robust cybersecurity system, to be aware of cybersecurity threats, and to ensure that everyone with access to organizational assets has received sufficient training so that they understand their roles and responsibilities. The types of cyberattacks that organizations must educate their associates on are:
Baiting. Often using false promises or infected USB drives, a cyberattacks preys on an individual’s curiosity to unwittingly load malicious software onto a machine, where it can then spread through the network.
Phishing. Emails trick users into divulging passwords or PPI.
Scareware. A user is alerted to a computer compromise in a pop-up, but when they follow the instructions to “clean” it, they instead install malicious software.
Spear phishing. A particular user or entity is targeted using more personalized phishing methods.
Advanced Persistent Threats. Cyberattackers burrow into a system, undetected, for a long time while they surveil, disrupt service, and steal data.
Denial of Service attack. This attack prevents authorized users from accessing the network.
Man-in-the-Middle attack. A hacker intercepts communication between a client and server where they see and collect data.
Data extraction attack. A cyberattacker executes a SQL query which, when successful, allows the cyberattackers to read, modify, and/or delete all data in a database.
When developing a cybersecurity plan, nonprofits can follow the NIST Cybersecurity Framework which includes the following functions2:
- Identify cybersecurity risks
- Protect against potential cybersecurity events
- Detect cybersecurity events
- Respond to a cybersecurity incident
- Recover from a cybersecurity incident
1 Bruce, 2020, “Cybersecurity for Nonprofits: A Guide”
2 NIST, 2021, “Cybersecurity Framework”