Author: John Farley
The nonprofit sector, despite its humane mission, isn't immune to cyber threats. Charities collect and manage valuable information, including user details, financial records and beneficiaries' personal data, making them prime targets for cyber breaches or attacks.
Our Gallagher Cyber team identified the most frequent cyber threats that nonprofits faced and provides practical advice to avoid them
Phishing attacks
Phishing remains one of the most common types of cyber breaches or attacks. Cybercriminals often impersonate organizations or individuals to trick employees into divulging sensitive information such as login credentials or financial details.
What you can do: Prioritize employee training on recognizing suspicious emails and requests for sensitive information. Keep software updated regularly, implement email filtering systems to stop phishing attempts and enable multi-factor authentication for added security.
Data breaches
Nonprofits often handle sensitive user information, including financial details and personally identifiable information. Data breaches resulting from cyberattacks can lead to exposure of sensitive data, potentially violating regulations.
What you can do: Make sure your organization implements strong access controls and encryption for sensitive data, conducts backups, updates systems regularly, scrutinizes third-party vendors rigorously and establishes robust incident-response strategies.
Ransomware
Cyber criminals encrypt an organization's critical data and demand a ransom for its release. Given the importance of data integrity for nonprofits, ransomware can potentially disrupt the organization's operations and break user trust.
What you can do: Educate staff on identifying phishing emails and suspicious links, implement a robust backup strategy, segment networks to restrict access to sensitive data and stay updated on the latest ransomware trends and techniques.
Supply chain attacks
Many nonprofits depend on third-party vendors for services such as fundraising platforms, IT support and cloud services. However, these vendors can introduce vulnerabilities into the organization's infrastructure, which becomes a potential entry point for cyber attackers.
What you can do: Implement vendor security assessments, use secure communication channels such as encrypted emails or secure file transfer protocols, monitor supplier activity on your network and establish clear contractual obligations.
Insider threats
While nonprofits typically have passionate staff, insider threats cannot be ignored. Unhappy employees or volunteers may intentionally or unintentionally compromise the organization's security by leaking sensitive information or engaging in malicious activities.
What you can do: Implement monitoring tools to track employee actions, establish clear policies and procedures for handling sensitive information, limit access to sensitive and confidential data and provide regular security awareness training to employees.
"It's imperative for those working in the nonprofit sector to maintain robust cybersecurity measures," says John Farley, managing director of Gallagher's Cyber Liability practice. "Without security measures, nonprofits raise the risk of a cyberattack that could lead to severe disruptions to their critical services and irreparable damage to the populations that rely on them. In addition, cyberattack against a non-profit could lead to reputational harm and an erosion of public trust, significantly undermining future fundraising efforts."
