It’s not immediately obvious why cybersecurity would be a top priority for Land Is Life, a New York nonprofit that works internationally to help organizations led by Indigenous people to protect their way of life. After all, the group often works with people who have had little exposure to modern technology, and many grant applicants apply by phone.

But cyberattacks are a growing menace to nonprofit organizations around the world, and Land Is Life is no exception. Its security fund distributes small grants totaling around $400,000 a year to assist Indigenous activists and charity leaders who have faced threats. Land Is Life received pro bono assistance from a student-led clinic at the University of California at Berkeley’s Center for Long-Term Cybersecurity to make sure the grant applications — and the charity’s own data — are secure and don’t fall into the hands of those threatening Indigenous people in the first place.

“One of our coordinators in Colombia is also an activist,” says Ana Jerolamon, interim co-director of Land Is Life. “She is threatened on a daily basis digitally. We wanted to ensure that information submitted by grant applicants would be secure.”

Land Is Life has plenty of company, as more and more charities seek to keep their data safe from cyberattacks. In just the past few months, BoardSource, a research and support organization for nonprofit boards, and Planned Parenthood Los Angeles have gone public about data breaches by cybercriminals.

For years, most charities spent little on cybersecurity, due in part to a lack of funds but also out of a sense that government agencies and businesses would be more likely targets for hackers. That complacency ended after the 2020 ransomware attack on Blackbaud, which affected many charities in the United States and around the world. The good news, tech experts say, is that a growing number of companies and tech-focused charities are offering free or low-cost expert help to address the threat.

“Until recently, data security has been a ‘nice to have’ for nonprofit organizations,” says Michael Enos, senior director of community and platform for TechSoup, a charity that provides technology systems and assistance to other organizations. “Now it’s a must have.”

For most nonprofits, he says, reputation is everything. If an organization suffers a breach because it was careless with data, donors may flee. “It takes a small period of time for years and years of brand development to go down the tubes if you mishandle this.”

Tempting Targets

 

Nonprofits are an attractive target for cybercriminals because many do little to defend against attacks yet possess valuable data, including donor records. The pandemic, which led to an abrupt change to remote work, left many charities even more exposed.

Microsoft’s Digital Security Unit says nonprofit organizations are the most common target for cybercriminals motivated by nationalism.

“Cybercriminals are starting to realize that nonprofits and NGOs are a fantastic market,” says Adrien Ogée, chief operating officer of the CyberPeace Institute, an organization in Geneva that works to enhance the stability of cyberspace.

Few charities are prepared to rebuff or respond to intrusions. Roughly 70 percent of the nonprofit organizations that Microsoft works with have not conducted a basic risk assessment to understand where vulnerabilities may exist in their technology infrastructure. And a 2018 survey — the latest available from NTEN, a nonprofit that helps charitable organizations with technology — found that only 21 percent of nonprofits had plans to respond to a cyberattack.

Sensitive Data

 

The Blackbaud breach primarily exposed data about donors and the size of their contributions. But it’s not hard to envision worse scenarios. Land Is Life’s security program helps Indigenous people threatened by governments or others relocate to safer areas or set up security cameras in their homes. Cyberattackers could use stolen data from grant applications to locate and physically attack the Indigenous activists.

Plenty of nonprofits have sensitive data about vulnerable people, but most aren’t doing a good job of securing it, says Jim Fruchterman, founder and CEO of Tech Matters, which helps social-change organizations better use technology. He says he’s aware of at least one nonprofit that sent an email with an unencrypted file that included personal information about sexual-assault survivors.

“Nonprofits tap into sensitive issues, and we don’t treat that data with the respect it deserves,” Fruchterman says. “What happens when a leak of child sexual-abuse survivors gets posted on some list? Are we taking the steps necessary to prevent that?”

Part of the problem, Fruchterman says, is what he describes the “cult of the custom” — the homegrown or customized software systems that many charities use, which are more likely to be vulnerable to cyberattacks. The needs of for-profit businesses tend to be more standardized, and they can afford to pay more, which means tech companies are more likely to create comprehensive software packages to serve them. All too often, nonprofits “have a half-time IT person who throws something together,” Fruchterman says.

“If I run a golf course, I have three choices of software to manage a tee time,” he says. “If I’m helping the most vulnerable children on the planet, I’ve got an Excel spreadsheet and paper.”

Broad, Automated Attacks

 

Technology isn’t the only problem. The way nonprofits think about the threat of cyberattacks can be just as important. A major hurdle for many organizations is “lack of agency” — the feeling that they simply can’t match up against the dark forces trying to hack into their systems, says Ann Cleaveland, executive director of Berkeley’s Center for Long-Term Cybersecurity.

“Nihilism is probably too strong a word — but definitely everybody is feeling overmatched,” she says.