Nonprofits often fly under the radar when ransomware attackers are looking for prey. Media reporting of nonprofit ransomware incidents has been minimal, aside from attacks on NGOs in Philadelphia and New Hampshire. However, executives should prepare for attacks proactively so as not to have costly, time-consuming surprises if they happen.
Preparation is essential, given the spike in ransomware that is happening now. In fact, governments should share intelligence about ransomware perpetrators with nonprofits, according to "Combating Ransomware," a 2021 global report from the Institute for Security and Technology (IST). This would include descriptions of the roles, tactics, personas, responsibilities, techniques, and behavior of threat actors.
Leaving the nonprofit sector vulnerable to ransomware is unwise because nonprofits handle sensitive information and have financial limitations. This sensitive information can include the personal stories of clients with court cases or criminal charges. It also is crucial for nonprofits to maintain their reputations, which could be affected by attackers reading staff correspondence.
The light burden on nonprofits to date may be due to their small size, according to Amy Sample Ward, CEO of NTEN, a technology nonprofit that builds capacity for social change. (Most US nonprofits — 92% — have budgets of under $1 million per year, according to the National Council of Nonprofits.) But just as small businesses can't be complacent about flying under the radar, nonprofits also need to prepare for attacks because they can be devastating.
Write in Cybersecurity Costs from the Beginning
Foundations should begin building cybersecurity into the everyday project-management and grant-accountability structure of nonprofits, Ward says. Ward co-authored a report, "Cybersecurity Essentials for Philanthropy," published by NTEN in 2019, that described how grant-makers can integrate these two expectations into their requirements.
One example of building cybersecurity into project management is setting up two-factor authentication for access to nonprofit files. Two-factor authentication can involve sending a confirmation code via text messaging. This step ensures that a potential attacker would need to have a staff member's cell phone to log in.
Building cybersecurity into grants means writing in technology expectations — and attaching funding to them. If the funding is flexible, that would allow nonprofit managers to decide how to use it. The grants can cover a combination of cybersecurity training, security consulting, knowledge resources, and staff conversations.
"Imagine if funders expected technology costs to be included with every single grant application they review," Ward said in the NTEN report. "This would support an investment in and the capacity for strategic cybersecurity protections."
Ask for Help
Some nonprofits lack IT capacity, which makes it difficult for them to take action on cybersecurity, the NTEN report said. And managers may be unaware of technology issues if their background is in other fields. This leaves them unprepared for potential hazards.
"Right now, our country is under attack. Our homes and businesses are under attack," says Craig Newmark, founder of Craig Newmark Philanthropies. He is funding two initiatives that will support cybersecurity for nonprofits. This has given a total of around $500,000 to two organizations that help to improve nonprofit cybersecurity — IST and the Global Cyber Alliance (GCA). The grants funded IST's global ransomware report and GCA's cybersecurity resources for journalists, elections, and communities.
The grants "pay the researchers to build recommendations which can help the global community fight back against ransomware," Newmark says. "Sometimes, ransomware attackers are just looking to make money. Other times, they're looking to disrupt things."
For nonprofits with limited financial resources, NTEN provides some safety-planning advice, such as how nonprofits can work within their budgets by making use of discounts, as well as affordable alternatives for malware prevention, online authentication, and data encryption.
Microsoft's 2017 report "Nonprofit Guidelines for Cybersecurity and Privacy" said NGOs should consider using cloud computing because it is likely to provide them with better data security than local storage does. Cloud computing gives nonprofits access to data centers that have physical security, encrypted communications, and continual surveillance. These centers comply with international data security and protection standards, such as ISO 27013 and ISO 27001.
Nonprofits can also seek assistance from IT consultants who are motivated to work with them.
"There's a community of cybersecurity professionals who want to help and assist this space," says Matt Mitchell, building institutions and networks tech fellow at the Ford Foundation.
Keep Data Minimal
When nonprofits keep their data simple, they present less of a surface for ransomware groups to attack, Newmark says.
In the case of my philanthropy, we run very lean in the way of providing very few targets. That's my recommendation," he says. "When you find ways to keep things simple and store as little data as possible, you have much less value to attackers of any sort."
The nature of the information NGOs gather puts them in a precarious position. For example, Digital Defense Fund provides software and security for abortion-access providers. Many nonprofit hospitals handle personal information. Other nonprofits handle topics such as immigration or incarceration.
"With a nonprofit, you're often seeing the importance of doing good [and] working for a marginalized cause," Mitchell says. "There's a lot of human impact there. [Ransomware] could really hurt the trajectory of the work a nonprofit could do. As the system becomes encrypted, it could prevent them from doing anything."
Mitchell led a team that developed a cybersecurity assessment tool for grantees of the Ford Foundation's Building Institutions and Networks (BUILD) program, which funds social justice organizations around the world. Many of the grantees are in the global south, the Ford Foundation website said. The tool asks how well nonprofits fuse cybersecurity into their everyday workflows. It also asks what threat incidents staff have seen. To assess the political environment, the questionnaire asks about whether the nonprofit supports displaced or minority groups — and whether it faces state or business opposition.
Other organizations outside the BUILD program can also use the tool, which has no fees and keeps data confidential. This is useful for privacy-conscious NGOs.
Even though nonprofits collect data that relate to controversial conversations, threat actors may not find their data or funding valuable enough to pursue.
But banking on this continued avoidance of the nonprofit sector is dangerous. Instead, nonprofits need to create a culture where people are always aware of cybersecurity when handling data, says Rick Cohen, CCO and COO at the National Council of Nonprofits.
When managing information, nonprofits need to have an environment where everyone is on guard, Cohen says. "You always have to view everything slightly suspiciously because that's what we have to do to keep the data secure."