Non-profits have many of the same cybersecurity issues as for-profit companies. These potential threats are “invisible” yet need to be addressed. But, non-profits, whether houses of worship, trade organizations, advocacy organizations or others often think that they are not a target. Whereas many for-profit organizations are subject to regulatory demands, most non-profits are not.
Are non-profits really a target? Here are some examples of recent cyber attacks against them.
- Relentless Church in South Carolina was targeted by the LockBit ransomware group in 2023 [1]
- Bishop Luffa School, a Church of England school, had information about students breached in 2023 [2]
- Doctors Without Borders had password information stolen and offered for sale in 2022 [3]
- Broward Health had 1.35 million private data records stolen in 2022 [4]
- The Philadelphia Food Bank experienced a ransomware attack in 2020 [5]
- The Heritage Foundation was targeted by a cyber attack in 2024 [6]
The list goes on and on!
Why are non-profits targeted?
- They often collect and store personal information such as names, address, phone numbers and financial information for many people. This includes staff and affliates, and donors. If background checks are performed for volunteers, there is a goldmine of information that may be targeted. Cyber criminals like to steal identities or commit financial fraud against anyone they find.
- Many times non-profits have significant funds in the bank. These funds are not only used for paying bills, but many times are earmarked for specific projects. Many times donor financial information is input thru an online form, and the information is stored. Stolen financial information makes non-profits an attractive target. Cyber criminals like to steal this financial information, make direct attempts to steal the funds, or redirect donations
- Cyber security is often not prioritized. Non-profits usually have a specific mission and their focus is there. Sometimes the non-profit has limited funds or just a lack of awareness. Good cyber security practices may not be followed. These things may them an easy target for cyber criminals.
- There are times when non-profits are targeted by those who idealogically oppose what they are doing. This is often the case religious or political organizations. They are attacked to damage their reputation, cause financial harm, or disrupt operations. Breaches of sensitive information can lead to a loss of trust by members or the community.
- Many non-profits operate on thin financial margins. This leads to using donated or outdated technology, configurations being done by volunteers who may not be versed in the nuances of security, or managed poorly. This all leads to vulnerabilities that cyber criminals can exploit.
What can a non-profit do?
One of the most important things a non-profit can to to strengthen their cybersecurity is simply to make it a priority. This means not only beginning to think about the technical aspects of cybersecurity but also making a plan to prepare for an attack.
High-level tasks include:
- Follow fundamental cybersecurity practices
- Have an attitude of trusting no one concerning your information
- Make plans for how to survive a cyber attack
- Help your staff to be aware of how they may be targeted and what to do about it.
Taking steps to address the likely cyber attack will help your non-profit survive and thrive.
————–
[1] – https://therecord.media/cybercrime-groups-find-new-target-churches
[2] – https://cybernews.com/news/bishop-luffa-school-attack-leak-student-names/
[5] – https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/
[6] – https://cyberscoop.com/hackvists-release-two-gigabytes-of-heritage-foundation-data/
