Debunking Myths and Misconceptions About Cybersecurity in Nonprofits

Enjoy this spotlighted blog from Sightline Security

When it comes to cybersecurity for nonprofits, the wrong ideas are certainly out there.

Now that we conquered some of the confusion surrounding cybersecurity, it’s time to dig a little deeper. For this blog post, I’m going to start with a short personal confession. When I first began to think about cybersecurity in nonprofit and mission-based organizations, I had a lot of assumptions.   

  • Nonprofits don’t need cybersecurity; who would want to attack them anyway?
  • Nonprofits don’t have the resources or funding to even think about cybersecurity, so why start?
  • Nonprofits are just like other businesses, so why don’t they use the same methods and tools for cybersecurity?
  • The technology used in nonprofit organizations is so outdated that it’s too much of an undertaking to secure them.

Looking back, it’s clear that I was wrong. The unique characteristics of nonprofit organizations mean that the approach to cyber and information security requires a different mindset. Unfortunately, discussions with security experts show that many misconceptions about the value of cybersecurity for nonprofits still exist. This is true regardless of the recent uptick in attacks on nonprofit organizations of all sizes and missions. These views are also held by some nonprofit executives, thereby creating additional barriers to overcome.   

First things first about cybersecurity

But let’s start by breaking down some of what we know about cybersecurity in nonprofits and what makes a nonprofit different. First, yes, cyber and information security are complicated, but that doesn’t mean they are insurmountable challenges. Second, we can make it easier by removing hurdles and encouraging better understanding—regardless of an organization’s size, budget, or resources. To do this, we have to start by understanding cybersecurity in nonprofit and mission-based organizations—something that has never been done across all 1.5 million of them registered in the U.S. However, since 2016, we have assessed and collected anecdotes and data to document the true state of cyber and information security in these organizations. 

Here are three examples of some of the myths, plus the facts we are capturing from our nonprofit members.

Myth: Hardware and software are outdated and unpatched.  

Fact: True in some cases, but not all (which are successes to celebrate)!

Many of the organizations in Sightline’s community have actually made significant strides to use current technology. It can be easy to assume that nonprofits are using decades-old technology—and for some, this is the case, sadly. But for many, they know that operating their business efficiently is paramount. Therefore, they make an effort to ensure that the hardware and software they use are modern and up-to-date. Some are also taking advantage of discount programs available through organizations such as TechSoup.

We are continuing to debunk this myth, and while it’s improving, it’s also complicated because many nonprofit organizations now outsource their IT services. Therefore, they have to rely on these vendors to ensure that their software and hardware are up-to-date. This means they also have to trust that the appropriate security controls are in place. 

Myth: Nonprofits do such great work, and no one would want to attack them.  

Fact: False—BIG FALSE! Did we say that loud enough?

In 2017, Save the Children—a large, international nonprofit—reported a cyberattack. This occurred at its Connecticut location where an individual posing as a Save the Children employee “fraudulently induced [via email] the organization to transfer $997,400 to an entity in Japan.” Unfortunately, social engineering continues to be one of the easiest and most effective ways for attackers to gain unauthorized access to privileged systems, resources, and information. As with this cyberattack, the fraudulent email prompting the money transfer appeared to originate from inside the nonprofit and was assumed legitimate.

Unfortunately, attacks (or attempts to attack) are not reserved for large nonprofits. Not only is this actually a historical issue, but it continues to be a substantial and time-relevant threat. We see a considerable uptick in targeted and non-targeted attacks on nonprofit and mission-based organizations of all sizes and missions. Cyberthreats related to the COVID-19 pandemic are also on the rise. According to a recent Interpol report, the creation of malicious domains using terms such as “coronavirus,” “covid19”, and “covid-19” are multiplying. While similar domain names are legitimate, cyber-attackers use false but believable domain names to mask corrupt activities. These include spam and phishing campaigns, website scams, or malware. The bottom line: if you use technology, you are no longer immune to a cyber attack.

Myth: Nonprofits don’t have any money already, so they won’t spend money on cybersecurity. 

Fact: This isn’t always the case.

Nonprofits, by design, operate with highly scrutinized budgets. But, in many cases, this doesn’t mean they aren’t spending money on technology and security. Nonprofits in the Sightline community report significant investments in technology, including hardware, software, cloud applications, and more. Additionally, as technology becomes more complex and necessary to keep things running effectively, many outsource IT to third-party organizations. Unfortunately, as discussed in our first webinar, cybersecurity isn’t only technology. It’s the intersection between people, processes, policies, and technology. We are currently working to help nonprofits understand reasonable spending to improve their cybersecurity preparedness. In turn, this will aid us in helping them choose the best places to spend their valued resources. But to assume all nonprofit organizations don’t have money is entirely false.  Instead, it’s important to understand how nonprofit organizations prioritize their spending.

The quote below from the executive director of a Massachusetts-based nonprofit highlights their position:

“During normal times, nonprofit budgets are stretched very thin and cybersecurity is typically sitting low on the funding priority list. This reality is coupled with the fact that nonprofits lack staff that is trained in how to identify cybersecurity issues. Add in a crisis to the mix and nonprofits become even more susceptible to security breaches as the nonprofit is completely focused on responding to the welfare of its constituents and keeping the business going.”   

And there are many more myths!

Of course, there are many more myths and misconceptions about cybersecurity in nonprofit and mission-based organizations. And even though we understand the unique business characteristics and how these attributes affect cybersecurity within your nonprofit, many organizations don’t. Maybe your nonprofit doesn’t, either. As we continue to gather more insights from nonprofit organizations like you, we promise to keep you updated on what we discover.  

What can you do today about cybersecurity?

Right now, our best advice is to not fall into the trap. Don’t believe the rhetoric about cyber and information security in nonprofits. We have seen it firsthand: if you bring cybersecurity best practices into your organization as a function of your business operations, it is far easier to stay secure.  

In short, don’t think of cyber and information security as a special project, a once-a-year event, or something that you only need an expensive consultant or technology to do or fix. And, please, don’t think of cybersecurity as something that happens to someone else. It is far easier to address security when you aren’t in crisis. So, don’t wait for an attack to spur you into action.

Better cyber and information security is within reach if we debunk the myths and break down the misconceptions. At Sightline, we take a step back from our security-centric viewpoint and consider how nonprofits like yours operate – how you talk and what’s important to you. All so we can align security to what makes you unique and focus on what matters most: your mission and the communities and people you serve.

Cybersecurity myths for nonprofits
Eric-Burger

Kelley Misata

Dr. Kelley Misata, Founder and Chief Trailblazer of Sightline Security, President andExecutive Director of OISF (Suricata), and former Director of Communication of The Tor Project - a cyber and information security executive with 15+ years of experience in cyber and information security operations, marketing, and communications. Expert in bridging gaps between technical and non-technical audiences in cyber and information security conversations and initiatives. Passionate speaker, advocate, and leader in information security, open-source communities, responsible digital citizenship, cyberstalking, and privacy. A business-minded researcher with groundbreaking research in the cybersecurity of nonprofits. Expertise rooted in direct experience as a survivor of cyberstalking.

August 10, 2021

Become a Member

Whether you’re with a large team or a solo entrepreneur looking to start the next great cause, we have a membership package that will help you grow your network and your cause.