News & Insights

Who Profits Off of Nonprofit Organizations?

WhiteHawk Inc.

Who Profits Off of Nonprofit Organizations?

Nonprofits are seen as organizations focused on providing services and making a positive impact on the community or for a segment of the population. It is hard to think someone would steal from and disrupt a nonprofit's altruistic mission. But cyber criminals do.

The large majority of nonprofits are considered small or grassroots organizations of which two-thirds have annual budgets less than $1 million, per this GuideStar report. Resources are tight and that means cybersecurity practices must be effective yet affordable.

Nonprofit organizations tend to store vast amounts of sensitive data related to partners, members, and research, and historically do not have the resourcing needs to employ a cybersecurity officer outside of their IT lead. They are rich in information that hackers want; pain points in this sector center around e-commerce transactions, email communications, and risks introduced by volunteers.

The good news, fortunately, is that there are affordable ways to tackle those risk areas.

According to the 2018 Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media & Sport (DCMS), nearly one out of five nonprofits experienced a cyber intrusion over the last 12 months. Add that average to the more than 1.5 million nonprofits registered in the U.S. and we're talking hundreds of thousands of incidents.

The same survey showed that only about one in five organizations had a formal cybersecurity policy in place. Community IT, a nonprofit focused technology provider, recently published similarly alarming statistics, showing a quarter of nonprofits experience malware incidents and one out of ten endured compromised accounts.

Based on the same Community IT report, addressing the top 3 types of incidents (email phishing, 19, and account compromise) can make a meaningful impact on mitigating cyber risks in the nonprofit sector:

Phishing - fraudulent emails sent as if they were from a real company, but are used to collect data from or deliver malware to the recipient

KnowBe4 is a cybersecurity awareness and training platform that can help teach employees to better manage the critical IT security problems of social engineering. The program regularly seeks to improve user behavior among your network users.

Using an endpoint protection tool provided by Symantec, such as Panda, or Forcepoint for example, will help add an additional security layer to your user behavior troubles. These machine learning tools help prevent behavioral-based data loss and exposes other insider threats that present risk to critical systems, such as fraudulent transactions or cyber sabotage.

Malware - software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system

Many anti-malware services exist, and work similar to a traditional antivirus program, but also provide peace of mind through keystroke encryption, multifactor authentication and more. Some top names in the category are:


-Trend Micro


Account Compromise - when login credentials are lost or stolen, and the related account with access to sensitive information on the network is accessed by a bad actor

Acronis offers a full system, a secure backup tool that Includes active protection from Ransomware.

Roboform is one of the many password managers available that enable users to create and store unique and complicated passwords for all of their online accounts and synchronizes them across all of their devices.

Operating through a data breach is easier with an effective data security strategy in place. It starts with assessing what data your company collects and segmenting it into two primary categories: sensitive vs. non-sensitive data.

-Sensitive, or critical data, if lost or stolen, will negatively and potentially permanently impact an organization's reputation. Membership and financial data fall in this category.

-Non-sensitive, or standard data, is information that does not interrupt business operations if lost or stolen. This may be because it is backed up, or because it is not vital to business.

The second part of a data security strategy is implementing data assurance solutions.

-For sensitive data, encrypt the information, and make sure it is not openly accessed by all members or employees. It should be back up on a regular schedule as well.

-For non-sensitive data, back up the files on a consistent, daily rhythm on both cloud-based services and on-premise hard drives.

Nonprofits play an important role in our society. Implementing solutions guided by industry trends is not only critical to their secure operation, but are actually affordable, accessible, and easy. Dealing with the repercussions of losing data and derailing the mission is not.

Looking for a way to mitigate risk of your nonprofit? WhiteHawk is here to help.