Why Do Hackers Target Nonprofits?


August 17, 2021

What Can Your Organization Do To Combat Nonprofit (NPO) Cybercrime? The Answer Is, More than You Think.

If you’re running a small non profit, it can be easy to think that you’re not a big enough fish to attract the attention of a cyber criminal. But you’d be wrong. In fact, cybersecurity think tanks say about 50 percent of charities have already experienced a serious incident of nonprofit (NPO) cybercrime.

How Does Your Organization Become a Target for Nonprofit (NPO) Cybercrime?

Charities are a far more tantalizing a target than you might realize. Most nonprofits have donor data stored somewhere in their archives, stock to the brim with personal and financial information from wealthy donors. And let’s not forget the personal information of members, clients, volunteers, and employees. To save money, many nonprofits use cheap or free software to build their websites, coupled with inexpensive, introductory web hosting options without security features.

Add all that to the fact that many startup nonprofits don’t have a CIO or internal IT staff minding the networks, and these small organizations become the perfect sitting duck.

So how are cybercriminals making a business of nonprofit (NPO) cybercrime?

Types of Attacks

Attack strategies tend to work, no matter what the size of your company. Nonprofits, though, are just a little more likely to make access for thieves a bit easier. Here are some of the most common ways cyber criminals can attack you:

Denial of Service attacks: In a DoS attack, hackers bombard your system with looping requests that crash your sytem. Functionally, they shut down your system.

Phishing and impersonations: Here, cyber thieves impersonate trusted sources so you’ll click on a malware infected link, or type in passwords, or offer up banking or personal information. Sometimes the attack emails and texts so well produced, it’s hard to believe it isn’t coming from the CEO, or from your bank. Volunteers or employees who haven’t been trained to spot these attacks can be especially vulnerable.

SQL injection attacks: If you have a database driven website, like say, one that collects donations from the public, you could be especially at risk. Hackers use an SQL query to the database to get access to the rest of the data on the server.

Malware/Ransomware attack: The two often go hand in hand or are synonymous. First, a hacker infects your network with malware. Then they use that malware to lock down your systems. You’ll be completely unable to access a file or use your system in any way unless you pay the “ransom,” which often run into the millions.

Hackers won’t care if that kind of payout would effectively end your organization’s altrusitic mission. All they want, is their ransom. Nonprofit (npo) cybercrime is, after all, a very lucrative business.

How to Prevent Nonprofit (NPO) Cybercrime

It all sounds very scary, and it is. Cybercrimes of all kinds are on the rise globally. And as many of 43 percent of those getting hacked are smaller organizations. But while hackers are getting more sophisticated, so are the tools that are being used to combat them. And the good news is, they are tools that most organizations find affordable, scalable, and easy to manage, especially when installed with the help of a good managed services IT provider.

Here at Integris, we specialize in offering managed services to nonprofits of all sizes, and we do have certain go-to strategies that we use to help our clients achieve a good baseline of cyber resilience for their organizations. Here’s some strategies we recommend:

  • Improve password Ssrength—Your employees, volunteers, donors, or anyone else accessing your network by password should be trained to create hard-to-guess passwords with a combination of upper and lower case letters, numbers, and special characters. Instruct them not to use addresses, birthdays or others that can be easily guessed. And make sure they memorize those passwords, instead of putting notes on their desks, or carrying around the password with them.
  • Get two-factor authentication, immediately—This system asks users to first log in on your website, then verify their identity using a security app on their phone. Duo Mobile is a service we use to do this, and we find that two-factor authentication can repel more than 90 percent of all login cyberattack attempts.
  • Purchase redundant data storage—If a hacker were to strike tomorrow, what would happen to your files? For many, they’d be gone forever. But at Iconic, we recommend our customers store everything in two places, once on their network, and another in a cloud based service that backs up everything to an offsite server in the cloud. Even if you lose everything, it can all be restored completely in a matter of hours.
  • Consider migrating your operations to the cloud—It may seem safer to have data servers on site, and for many organizations, that will be true. But, there are tremendous benefits to be gained for your security if you move operations to the cloud. If you have all your software in the cloud, through a service like Microsoft Windows 365 for instance, all your software updates will be handled automatically in the cloud. There’s no worrying over whether your people have downloaded the latest update. And if you upgrade to Microsoft Cloud PC, you’ll get that benefit, plus the ability to run your entire operating system in the cloud. With fewer security patch lapses, you’ll be a far more difficult target for hackers.
  • Make security training a part of Your culture—You shouldn’t have to worry about creating your own security classes for your employees. If you work with a reputable MSP, they should be able to set you up with mandatory security training programs that can be taken online. Educated employees are far less likely to fall for online scammers, and you can monitor their class completion rates from a centralized dashboard.
  • Don’t forget physical plant security—Does your office location or mission make you prone to break ins, protests or terrorist attacks? If so, then you may be eligible for government funds that will pay for the cameras and monitoring equipment you need. Check out our latest blog for information on whether you’re eligible for the security grant for nonprofits, and how to apply.

Want to Learn More About Preventing Nonprofit (NPO) Cybercrime?

Integris has a long history of working with small and medium sized nonprofits, and has a lot of resources to offer organizations looking to do their homework on cybersecurity. If you’d like to take a deep dive on the topic, watch our latest webinar. We have convened a panel of experts across industries to address the topic Risk Management for Nonprofits in 2021, and How To Mitigate. You won’t want to miss it! And if you’d like to download all Iconic’s customer resources on cyber security for nonprofits, check out our Nonprofit Essentials Kit. You’ll find our white papers, strategy documents, free webinars, DIY security assessments, and so much more!

Susan Gosselin is a Senior Content Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as Technologyadvice.com, Datamation.com, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...