By Lisa Campbell, Vice President SMB, CrowdStrike
Small and medium-sized businesses (SMBs) are a more frequent target of cybercrime than large companies, and small non-profits face an even higher incidence of high and critical-severity attacks.
On the surface, the trend toward attacks focused on smaller organisations may seem counterintuitive. There are obviously more lucrative targets for cybercriminals than a small non-profit organisation, and hitting large commercial targets is less likely to generate public outrage. Given the risk and presumably low payday, why is this sector seemingly painted with such a big bullseye?
Let’s examine five reasons why non-profit are a common target and discuss how your organisation can defend against potentially disastrous attacks.
- Attackers know non-profit operate under financial constraints making them likelier to have weak cyber defencesAll businesses have financial constraints, but the pressure to keep costs down is especially intense for non-profit , where money spent on operations is seen as money that can’t be used to support the organisation’s mission. Non-profit are reluctant to commit to overhead spending, and many donors hesitate to give money that would go toward costs not directly related to programs.
According to the National Council of Non-profit , 88% of America’s 1.3 million charitable non-profit organisations operate on an annual budget of $500,000 or less. Given the pressure to spend that money on providing services and paying staff, there is little budget available for expenses beyond the core programs.
Unfortunately, cybersecurity protection falls under “overhead spending.” Funding for security technology, or even for IT upgrades in general, is likely not a top priority. Many non-profit — especially smaller organisations — lack adequate cybersecurity defences as a result, leaving them vulnerable to attack. Attackers know this.
- Budget challenges mean outdated PCs, operating systems and limited cybersecurity training
The cybersecurity threat landscape is quickly and constantly changing. Computers, operating systems and other technology such as smartphones and tablets must be up-to-date to avoid a constant stream of vulnerabilities. Any connected equipment left unpatched gives the adversary an opportunity to gain access to the organisation.For-profit businesses know the costs of cyberattacks and the damage a breach can cause. Depending on the sector, they spend anywhere from 3% to 13% of their annual revenue on IT, with smaller non-profit spending a greater percentage. However, many non-profit are unable to match that level of spending.
Budget challenges affecting cybersecurity extend to general IT. Some non-profit rely on PCs donated from businesses and individuals who no longer need them. Staffing is also affected; non-profit often rely on volunteers to fill many roles. Due to financial constraints, cybersecurity training is superficial — if it happens at all. This heightens their risk from common tactics such as phishing.
- Non-profit are a source of valuable data
Although they are often much smaller than a typical corporation, non-profit remain a valuable target for adversaries. For example, some non-profit sell merchandise or services on their websites and store purchase-related information on their network. Infiltrating one of their servers could lead attackers to donors’ credit card and banking information. While it’s not anywhere near the scale of a major retailer like Amazon, a non-profit presents adversaries an opportunity to steal customer data they can then use to achieve their goals — and possibly prove the adversary’s worth to larger, more prolific networks of hackers.Financial data isn’t the only information at risk. Many donors may be people or organisations whose status and/or resources make them potential targets. Access to their data may be enough reason to attack a non-profit . It’s also highly likely employee data is stored locally, including personal information such as Social Security numbers, home addresses, phone numbers and banking data. This data can end up being sold on the dark web, leading to serious consequences such as identity theft, financial loss and an impact on the credit scores of employees who are affected.
Unfortunately, there are many examples of non-profit being targeted by cyber criminals for their data. An attack in 2019 impacted one of western New York’s largest non-profit, resulting in a breach that exposed sensitive data including the names, addresses, Social Security numbers, financial data, government IDs, medical information and health insurance details of 1,000 clients.
- Non-profit may be political or terrorist targets due to the causes they represent
Not all cyberattacks are motivated by profit. In some cases, a political or social element is involved, especially when the target is a non-profit organisation. Support for certain causes can make non-profit a target for so-called “hacktivists” or even state-sponsored cyberattacks on the other side of the issue. The goal in these cases is often to disrupt the non-profit and prevent it from accomplishing its mission.A prime example of this is the Russian invasion of Ukraine. In the leadup to this war, CrowdStrike tracked a significant increase in malware attacks against Ukrainian companies and media outlets. It has been reported humanitarian organisations providing aid to Ukrainian refugees and other non-government organisations (NGOs) have also come under cyberattack. Another prominent example took place in late 2022, when Amnesty International suffered a data breach linked to the Chinese government, which Amnesty has criticised for human rights violations.
- Non-profit can provide access to larger targets through supply chain connections
Non-profit are part of the software supply chain. They likely have login credentials or online access to other companies they do business with; for example, ordering products and services, processing payments and conducting financial operations.This connection, combined with their weak security posture, means attackers may see a non-profit as a stepping stone to a more lucrative target. They could gain access to the weaker network and use that connection to sneakily establish a foothold within a much larger and better-protected target.
Non-profit need a better approach to cybersecurity
The message is clear: a non-profit’s mission or charitable status doesn’t offer protection from cyberattacks. If anything, analysis shows these organisations are key targets and are being attacked with alarming frequency. Even small non-profit can be the target of an attack — with devastating results.
Modern cybersecurity protection is not an option — it’s a must. Unfortunately, traditional antivirus used by SMBs, including many non-profit, are unable to keep up with the pace and complexity of today’s ransomware and cyberattacks.
Non-profit would do well to deploy user-friendly, cloud-based cybersecurity solutions that are more comprehensive than AV tools, but which don’t require the expertise and dedicated resources of a complex threat analysis platform. This is especially true for smaller non-profit with less IT budget and less staff expertise in cybersecurity.
Fortunately, the advent of AI-powered cybersecurity is making it easier for users of all skill levels to deploy protection that’s capable of stopping the modern cyberattacks that antivirus solutions often miss. Look for solutions that can be deployed quickly, verify their protection stats, and offer protection against data theft.
Non-profit should look for endpoint security solutions that have been validated by independent, third-party industry analysts, such as Gartner, Forrester, and IDC, or which have been tested and proven by hands-on testing labs like SE Labs.
Don’t overlook the possibility of pro-bono cybersecurity support, either. non-profit with a small number of endpoints (laptops, computers, servers, smartphones, printers and other devices that connect to its network) can often apply for free access to cybersecurity protection from leading cyber companies.