Community IT Innovators is the only IT firm exclusively focused on serving nonprofits in Washington, D.C. As a result of our focus, we’re uniquely positioned to track sector trends, including this Cybersecurity Incident Report summary.
We’ve capitalized on that position to compile the 2021 Nonprofit Cybersecurity Incident Report: a survey of the cybersecurity data we see in the nonprofit sector.
We currently support approximately 140 unique organizations that represent about 5,000 computers. Here’s a high-level overview of what the nonprofit cybersecurity trends our 2021 report has uncovered, featuring five key insights.
1. The amount of spam nonprofits receive has increased by 170%.
There was a significant increase in the amount of reported spam in 2019. I believe that this is due largely to improved training and education.
We want to have staff err on the side of caution and forward any suspicious email to our help desk for evaluation. That helps to avoid more serious issues, such as viruses or even ransomware being delivered through emails. Our help desk can review and evaluate a suspected spam email in just a few minutes. That’s preferable to the several-hour impact that can result from a virus infected computer or recovering data that’s been encrypted by ransomware.
All of that said, the data is striking – we reviewed a 170% increase in spam reports over the past year.
2. The amount of spear phishing attacks increased by 321%.
Perhaps a more concerning security trend involving email is the increase in spear phishing attacks.
This is a targeted form of fraud that often impersonates (or “spoofs”) a known sender. In this case there is an actual adversary evaluating your website to get the name of the Executive Director, the Director of Finance and HR and the Admin Assistant to craft a message that is designed to elicit a response.
The fraud is almost always financially related; buying gift cards under the pretense of a new staff welcome or updating ACH information for staff payroll.
We’ve also seen these attacks used to engage with a staff person to elicit more information about an organization and the personally identifiable information about staff. Examples include asking for copies of payroll information or W2s. Other cases include pivoting to attack partner organizations or crafting specialized messages to board members.
Our 2020 report found the incidents of this activity up by 321%.
3. Social service organizations are most vulnerable to phishing attacks.
Our data shows that, out of all of the nonprofit sectors we serve, social service organizations seem to be the most prone to successful business email compromise attacks. This may be due to a large portion of interns and volunteers.
Lack of a formalized security awareness training program is likely also a contributing factor.
4. Foreign government attacks are a real risk.
Policy and advocacy nonprofit organizations and think tanks have gained the attention of Advanced Persistent Threat actors (foreign government funded cyber operatives).
These actors are focused on gaining and maintaining access into systems as a way of gaining insight into the policy and thought leadership that is being shared with our nation’s decision makers. Advocacy groups are also being targeted with these threats in order to influence their advocacy or silence NGO actors in opposition to their government.
While a relatively small number of incidents can be attributed to these well-funded state sponsored attacks, they have an outsized impact.
5. Ransomware, viruses, and malware occurrences remain static.
Overall, the number of incidents associated with viruses and malware are very low in our data set. At Community IT, we invest heavily in providing a multilayered approach to cybersecurity that starts with ensuring Operating System updates are applied on a regular basis.
In addition, we also manage many third-party updates. Community IT also deploys managed antivirus on all Windows workstations and Cisco’s Umbrella for protection against web-based threats. We have now had over 3 years with no ransomware on our managed networks.
This is an area where our data set may not be representative of the industry as a whole; ransomware does appear to be undergoing a resurgence, with several high-profile attacks against city and county governments including Baltimore and Atlanta in 2019.
These attacks are very expensive to respond to and remediate. A ransomware attack on the City of Baltimore cost over $18.2 million in direct expenses related to response and multiples of that in lost productivity and lost revenue.
How the Data Impacts Cybersecurity Response
Community IT released an updated Cybersecurity Playbook in 2021. The lessons learned from protecting and responding to these recorded threats help to inform our approach to investing in solutions. While we take a standards-based approach to our cybersecurity protection, understanding the unique environment that nonprofits operate in helps to inform our prioritized list of recommendations.
Three steps your nonprofit organization can take right now base on this Cybersecurity Incident Report summary are:
- Invest in a robust security awareness training program
- Protect your staff from Business email compromise
- Implement Multi-Factor Authentication (MFA)
Working with a managed IT service provider can help.
Ready to take action on your nonprofit’s cybersecurity stance?
Our data show that nonprofits face high degrees of cybersecurity risk – and far too many aren’t adequately prepared.
At Community IT Innovators, we can help.
We’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value. The problem is that these options don’t understand or address important vulnerabilities.
As a result, cyber damages are all too common.
Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.
If this report leaves you questioning your cybersecurity preparedness, then it’s time to take action. To take the first step toward nonprofit IT support that drastically reduces cybersecurity risk, get in touch with us today.