Understanding Cyber Exposures for Nonprofit Organizations

Stealing from charities may seem especially wrong, but many hackers have no qualms about stealing data from nonprofit organizations. In fact, nonprofits can be attractive targets, so employees and volunteers must watch out for ransomware, phishing schemes, and other types of attacks by minimizing cyber exposure for nonprofits.

Why Cybercriminals Target Nonprofit Organizations

Cybercriminals target organizations in any industry and of any size. However, they tend to focus on organizations with the things they want – namely, money or sensitive information. Nonprofits are attractive targets for several reasons. For instance, they may:

• Have donor information. If hackers can get their hands on bank numbers and other donor data, they may be able to drain victims’ bank accounts. Hackers can also sell financial information to others.
• Have client/patient information. Nonprofits may have Social Security numbers, email addresses, physical addresses, and other pieces of personally-identifiable information about clients. Hackers can use this information for identity theft.
• Be desperate to resume operations. Nonprofits often provide critical services, meaning any downtime can result in harm to the people the organization serves. As a result, nonprofits may give in to ransom demands.

There’s one more reason cybercriminals might focus on nonprofits: many nonprofits lack the investment in IT systems and cyber awareness training that could prevent cyberattacks. As a result, cybercriminals may see nonprofits as easy targets.

Some Attacks Are Down – But Losses Are Up

Some of the numbers from 2022 look promising, but it’s not time to let your guard down. The FBI’s Internet Crime Complaint Center (IC3) saw a 5% decrease in the number of complaints from 2021 to 2022. The number of reported ransomware attacks also decreased. However, the losses from cyber incidents surged from $6.9 billion in 2021 to more than $10.2 billion in 2022.

Cyberattacks remain a persistent and increasingly costly threat. A single incident can result in a wide range of expenses – from the immediate costs of mitigating the threat and recovering systems to the long-term costs related to reputational harm and regulatory compliance.

Cyber incidents are also more costly than many people realize. According to IBM, the average cost of a data breach in 2022 was $4.35 million. Nonprofits also have to consider the impact on donations – if donors don’t trust the nonprofit to keep their financial data safe, they may decide not to give.

The Top Threats

Cybercriminals use a combination of tactics to target victims. Some strategies exploit weaknesses in technical systems; others rely on human error and aim to trick individuals into providing information or opening the door to an attack.

IBM says phishing was the top infection vector in 2022 – in fact, it was the vector in 41% of all incidents. Spear phishing attachments were an especially common tactic, accounting for 62% of all phishing incidents. The second most common infection vector was vulnerability exploitation.

Proactive Management of Cyber Exposures for Nonprofits

Don’t wait until a cybercriminal has infiltrated your system – take proactive steps to prevent and minimize damage now.

• Train everyone on how to be cyber-savvy. Cyber security is not just the responsibility of the IT department. Everyone at your organization needs to know how to spot and avoid phishing, business email compromise attacks, and other social engineering schemes. Raise awareness on how to avoid fake emails, malicious links, and phony requests. Engage your team by using exercises to practice spotting these scams. In addition, you should create policies on strong passwords, multifactor authentication, avoiding public Wi-Fi and other basic cybersecurity measures.
• Fix vulnerabilities. If you’re still using unpatched systems and programs with known vulnerabilities, it’s just a matter of time before a hacker exploits a weakness in your system.
• Create a cyber incident emergency response plan. Identify your risks, determine how an attack would impact your operation, and create a plan to mitigate the damage. CISA offers guidance on how to create your cyber incident response plan.
• Invest in cybersecurity. Most nonprofits operate on razor-thin margins. You no doubt want to spend every penny you can on the people you serve. However, failing to invest in cybersecurity can lead to bigger costs and problems in the long run. Cybersecurity needs to be a priority, which means investing in secure systems, training, and cyber insurance.

Heffernan Insurance Brokers delivers the insurance products you need to manage your risks, including cyber exposures for nonprofits. Learn more.