The last few years have brought stories about cybercrime against nonprofits to the news with increasing regularity. In late 2020 hackers managed to divert $650,000 from the San Francisco nonprofit One Treasure Island to a fraudulent bank account in Texas. In July 2020 the Philadelphia hunger relief nonprofit Philabundance, the largest of its kind in the region, was deceived into sending a $923,533 payment for a construction bill to cybercriminals. And in May 2021, Volunteer Service Abroad, an international development nonprofit based in New Zealand, had its data systems locked by hackers that demanded a ransom to free them.
Such attacks are costly in both monetary and operational terms. The cash stolen from One Treasure Island had been meant as a loan to Mercy Housing California, a nonprofit that planned to use it for low-income housing. Philabundance was hit when it was trying to reach a fiscal year goal of distributing 50 million pounds of food. Volunteer Service Abroad permanently lost some of its data systems. One Treasure Island's missing money hasn't been recovered yet, but Mercy Housing was able to secure a loan elsewhere. The other two nonprofits managed to meet service goals, but even so, the disruption and stress of having to scramble for solutions can't be underestimated.
There are many different types of cyberattacks, from hard-to-spot phishing, to bold ransomware attacks, to incredibly damaging distributed denial of service assaults that shut down entire websites. Generally, access rather than shutdown is the goal. Hackers will often try to divert bank transfers, as in the One Treasure Island and Philabundance examples, but selling website access to third parties who want to launch their own attacks is also profitable. As recently as January, Médecins Sans Frontières, also known as Doctors Without Borders, which takes in between $1 billion and $2 billion a year in donations, was hit by access brokers that tried to sell a database password.
One of the largest recent cyberattacks was against the cloud computing provider Blackbaud, which isn't a nonprofit, but one of the world's leading providers of services to the nonprofit community. It suffered a data breach in May 2020 that affected up to 25,000 nonprofits around the globe. The news coverage was widespread, and the fallout was extensive, resulting in a damaged reputation and multiple lawsuits, even to the extent of litigators soliciting online, seeking parties that might interested in suing.
Size doesn't matter
A nonprofit doesn't have to be large or well known to suffer a hack. While well-funded organizations like the Heritage Foundation and Easter Seals have been hacked, those that offer less potential for profit can be enticing because of the comparative ease with which they can be penetrated. Two months ago hackers tried to sell a username and password for an account at the John C. Fremont Hospital, a one-story health facility located in Mariposa, a city of fewer than 2,500 people in California's Sierra Nevada foothills. Passwords are usually sold on encrypted message boards. The price asked for this particular item? A mere $800. The hospital wasn't alone—59 healthcare focused hacks disrupted patient care at more than 500 facilities in 2020.
While extensive data on the hacking of small nonprofits isn't readily available, on the whole, small enterprises have seen a major upswing in cyberattacks, with 42% of small businesses experiencing one between November 2020 and November 2021. According to the Cyberpeace Institute, more than 50% of non-governmental organizations have reported being victims of cyberattacks at some point. The number could be higher. Disclosure requirements for hacking episodes vary by country. But it's safe to assume that few nonprofits are small enough to escape the notice of cybercriminals.
Nonprofits are attractive targets for several reasons. One is that online donation forms are a potential source of credit and banking details. Another is that nonprofit websites are often updated only intermittently, and can suffer from obsolete plugins, outdated components, and inadequate password management. In addition, many nonprofits are staffed by part-time workers whose experience with digital fraud is limited. A phishing email can be amazingly hard to spot. During the course of writing this article I received a fraudulent Amazon email. Its logos were correct, its format convincing, and its language grammatically perfect. The only visible indication it was fake was a tiny dot where one shouldn't be: in its address line, instead of account@amazon, it read account@aṃazon.
The theft One Treasure Island fell victim to hinged upon phony requests to change wire transfer procedures, but the email addresses in the requests were slightly incorrect. If those scam address lines were as subtle as the Amazon address line above, it's easy to see how a busy staffer might not notice. But even with the upswing in cyberattacks and the increasing sophistication of those incursions, surveys suggest that most nonprofits that maintain an online presence have conducted no vulnerability assessments, and most don't have a cybersecurity policy.
Attacks are expected to increase
Digital security experts are in agreement that cyberattacks are going to increase. According to Harvard Business Review, the amount of ransoms companies paid to hackers grew by 300% in 2020 alone, and according to Identity Theft Resource Center, data breaches rose 68% in 2021. Cybercrime as a whole has been boosted due to numerous factors, including the COVID-driven increase in remote work and the softer security such dispersal brings. The costs of cybercrime vary according who's making the estimate, but a number of sources agree that by 2025 it could cost $10.5 trillion in damages annually. If that amount were a nation's economy it would trail only the U.S. and China.
In October Microsoft released its 2021 Digital Defense Report, which sheds a bit more light on the challenges nonprofits face. The report contains a section focusing on nation-state actors and the sectors they attacked. Between June 2020 and June 2021, NGOs and think tanks made up 31% of all “notifications of nation-state attacks against organizational domains.” In other words, hacker groups either employed by governments or working toward a particular government's geo-political goals are besieging nonprofits. The majority of attacks were upon groups perceived as being important to security, policy, research, and infrastructure, but the data is still something all nonprofits may want to note. Also to be noted is that despite the growing focus on foreign hackers, 85% of hacks against U.S. sites originate internally.
Any nonprofit can take effective anti-hacking measures. Organizations with large budgets can hire experienced third-party help, but for those with tighter finances, precautions recommended by experts include redundancies and backups, creating multiple levels of data, regular system updates, diligent monitoring, staff training, and careful password management, including the use of multi-factor authentication. Encryption of hard drive files, even when a nonprofit uses cloud storage, is also recommended, so that in the case of a data breach a hacker still needs to penetrate the encryption. Keeping close track of hardware, if possible, can also help. A hacker can work wonders with a stolen laptop or mobile phone.
In an era of what feels like growing lawlessness in the digital realm, and amidst soaring monetary rewards for cybercrime, nonprofits should take any steps necessary to avoid being easy victims. While some hackers have political goals or personal axes to grind, most are concerned only with profit, and view their activities as a volume business. More hacks mean more cash. That, in turn, means even nonprofits with the most benevolent of missions can be targeted. Data protection should be a top priority, and be thought of as a necessity for the future.
- Learn about the various types of cyberattacks.
- Read Microsoft's Digital Defense Report