Nonprofit cybersecurity is, increasingly, a crucial consideration. Cyberattacks are on the rise. Cyber defense professionals constantly need to adapt. Organizations can’t afford to take cybersecurity risks lightly, and the industry’s statistics reflect this reality.

Here are 10 numbers that you should know.

1. Hackers attack every 39 seconds, on average 2,244 times a day.

(From University of Maryland research)

First, let’s set the stage at a general level: There is a barrage of cyberattack attempts happening all the time. It’s important to note that these are simply active efforts by cybercriminals – not all of them are successful, and certainly not all attacks are directed against a nonprofit.

Still, though, the sheer volume of attacks paints a stark picture of baseline risk levels. Many people are actively trying to breach networks, steal data, and compromise organizations. This is happening around the clock. The risk is real.

2. 94% of malware is delivered by email.

(From Verizon)

We’ve established that cybercriminals are active. Now, let’s take a look at how attacks are successfully delivered. Interestingly, one of the older technology platforms is still the primary means of delivering malware: attackers overwhelmingly use email.

Usually, email attacks are carried out using social engineering, or “phishing”, to convince unsuspecting users to take action – perhaps to download a file that appears to come from a colleague, or to click on another type of malicious link. Nonprofits must be wary of these attack methods, and ideally, should provide users training on how to securely use email.

3. The estimated number of passwords used by humans and machines worldwide has grown to 300 billion+.

(From SC Magazine)

Here’s another area of vulnerability that’s been steadily utilized by hackers through the years: insecure passwords.

While the statistic above doesn’t necessarily indicate that there will be 300 billion insecure passwords, other data does suggest that 86% of passwords are weak. In other words, more systems are secured by passwords than ever before – and often, that means that those systems aren’t very strongly secured at all.

4. 68% of business leaders feel their cybersecurity risks are increasing.

(From Accenture)

Admittedly, based on the numbers we’ve just reviewed, this statistic probably isn’t too surprising. But it’s a revealing display of the gravity with which leaders are viewing cybersecurity in general.

5. 82% of employers report a shortage of cybersecurity skills.

(From Information Systems Security Association)

Yet, in spite of the increasing risks, most organizations aren’t equipped with the personnel and talent to cover cybersecurity needs. There are simply too many roles required by too many organizations, and too few cybersecurity professionals to fill them.

Note that 82% isn’t industry specific. But nonprofits are often even less likely to have access to top talent – robust internal IT teams are often too costly to maintain, especially for mid-sized (or smaller) nonprofit organizations. The good news is that these organizations can mitigate this issue by outsourcing to an expert provider.

6. 56% of nonprofits don’t require multi-factor authentication (MFA) to log into online accounts.

(From NTEN)

Multi-factor authentication is a means of increasing security when users log into accounts; essentially, MFA requires that users have access to two (or more) sources of information. When you log into a platform and then are required to enter a passcode that’s been texted to your phone, you’re using MFA.

MFA greatly increases the security of accounts – and most nonprofits don’t use it.

7. Only 26% of nonprofits actively monitor their network environments.

(From NTEN)

The majority of nonprofits don’t actively monitor their environments for cybersecurity threats. This is problematic, because active monitoring can greatly reduce response time during a cybersecurity event – which can go a long way toward mitigating damage.

Now, about a third of nonprofits do employ passive monitoring (which means keeping and regularly reviewing logs). But this reactive approach, while better than nothing, can still lead to too long an interval between an attack and its discovery.

8. 59% of nonprofits do not provide any cybersecurity training to staff on a regular basis

(From NTEN)

Most nonprofits don’t regularly train their staff on cybersecurity issues. Of those that do regularly train staff, the majority only do so annually.

This is a major cause for concern, especially given the data we looked at earlier. Email and password usage are two areas where training can greatly reduce the risk of attack. If users understand best practice in avoiding phishing attacks and are up to date on how to securely use passwords, nonprofits will be less vulnerable.

9. More than 70% of nonprofits have not run even one vulnerability assessment to evaluate their potential risk exposure.

(From CohnReznick)

This statistic might explain why many nonprofits don’t take aggressive cybersecurity measures. Most simply haven’t assessed their own levels of risk. The first step to planning for improved cybersecurity is often to discover where vulnerabilities lie.

10. Only 20% of nonprofits have a policy in place to address cyberattacks.

(From NTEN)

Finally, on a similar note: 80% of nonprofits don’t have a policy in place to address cyberattacks.

Policies go a long way toward improving response times and mitigating damage (and comprehensive cybersecurity policies can play important roles in reducing risk in the first place). If your nonprofit doesn’t have such a policy in place, take steps to address the issue. These nonprofit cybersecurity stats should drive you to take action.

Concerned about Your Nonprofit’s Cybersecurity Situation?

The reality is that nonprofits face high degrees of cybersecurity risk – and far too many aren’t adequately prepared.

At Community IT Innovators, we can help.

We’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value. The problem is that these options don’t understand or address important vulnerabilities.

As a result, cyber damages are all too common.

Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.

If you see your own organization in these nonprofit cybersecurity stats, then it’s time to take action. To take the first step toward nonprofit IT support that drastically reduces cybersecurity risk, get in touch with us today.

Webinar: 2025 Nonprofit Tech Round Table

CTO Matthew Eshleman, Director of IT Consulting Steve Longenecker, and IT Business Manager Team Lead Norwin Herrera hold a lively and specific discussion of all things nonprofit tech for 2025 and beyond. January 22 at 3pm Eastern, Noon Pacific.

Are You Ready for IT You Can Depend On?

Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.