CSOs Eye Challenges and Solutions for Nonprofits

Nonprofit organizations can provide a wide range of services across various sectors—business and consumer associations, education, politics, religion, and social clubs, to name a few.

But regardless of what industry a nonprofit operates in, the goal remains the same: to provide collective, public, or social aid to its target audience. Because of that goal, revenue that the organization generates and donations it receives are often limited or earmarked for certain operations. The intent behind such constraints can be noble—for example, assurance that the funds will be used to directly impact those receiving aid from the organization.

However, those same intentions can impact the organization’s overall well-being if other priorities result in a lack of investment in operations, logistics, and security. And in an organization where resources, such as money or staff, are already constrained, departments are often competing with each other to prove that they are a priority, according to Ian O’Brien, CPP, CSO for World Learning.

“One of the biggest problems, especially when it comes to nonprofits, is getting people to put in the time and the resources toward security,” notes Leibel Garelik, CSO for Chabad-Lubavitch, a global religious nonprofit with roughly 5,200 locations.

The people working and volunteering at nonprofits are often passionate about the organization’s cause—but they sometimes see any time or other resources taken away from the priority of the overall mission, even for security reasons, as an inconvenience, Garelik notes.

The same obstacles apply to cybersecurity efforts, and security departments must lobby hard for resources and buy-in. Unfortunately, criminals are increasingly aware that unlike for-profit or government organizations, the data housed by a nonprofit’s servers or access to its systems and accounts might be less tightly guarded.  

The motivations for launching a malware or ransomware attack are variable, sometimes depending on the nonprofit and other times on the attackers.

For Chabad-Lubavitch, Garelik often sees cyberattacks fueled by hate, such as hacking into religious leaders’ social media accounts to post anti-Semitic messages or pro-Nazi propaganda. Others, meanwhile, are primarily motivated by money.

In January 2022, a cyberattack against the International Committee of the Red Cross (ICRC) computer servers compromised the personal and confidential information of more than 515,000 vulnerable people, including ones who were separated from families, officially considered as missing, or held in detention.

In January 2023, Maternal & Family Health Services—a U.S. nonprofit healthcare provider—confirmed that a ransomware attack exposed sensitive information of patients, staff, and vendors, according to TechCrunch. After taking more than a year to resolve the incident, the healthcare group has not publicly disclosed information about the attackers or whether they paid the ransom demand.  

Such threats to an organization’s cybersecurity include zero-day vulnerabilities, slow releases of patches, evolved spearphishing scams that involve social engineering, and a lack of multifactor authentication, O’Brien adds. He also notes that sometimes, “too many vendors have access to various parts of our systems, multiplying the risk.”

At the end of the day, however, security leaders seek solutions to their limitations, especially when mitigating against malware or other cyberattacks.

Internally, O’Brien says that it helps to remain up to date with deploying any patches, enforcing multifactor authentication on all systems, and conducting staff training that refreshes cybersecurity training. When it comes to personally identifiable information (PII), he recommends encrypting all devices that can host such information and purging PII data once it is no longer needed.

One of the biggest problems, especially when it comes to nonprofits, is getting people to put in the time and the resources toward security.

O’Brien also notes that there are external options that nonprofits can use to improve their security practices, including reaching out to experts, such as lawyers or cybersecurity professions, as well as investing in a cyber insurance policy.

Government grants are also available for nonprofits’ security efforts. This kind of resource is “tremendous,” according to Garelik, because it means that a nonprofit will ultimately not be forced to reallocate internal funds to make the organization safer.

The U.S. Federal Emergency Management Agency’s Nonprofit Security Grant Program (NSGP) offers organizations financial support for security upgrades for physical security, site hardening, and in some instances cybersecurity improvements. The grant, which Garelik describes as “a tremendous resource for houses of worship,” earmarks $150,000 per facility for improving security infrastructure.

With Chabad’s headquarters based in New York, Garelik also points to a state grant—the Securing Communities Against Hate Crimes program—that will reimburse cybersecurity improvement efforts. “With $50,000 you can do pretty good upgrades to your facility, cybersecurity-wise,” Garelik says.

Sara Mosqueda is associate editor for Security Management. You can connect with her on Twitter and LinkedIn.