Nonprofits work to provide free or reduced cost aid, education, and essential resources throughout communities worldwide, but they often struggle to meet their own needs, particularly when it comes to cybersecurity. While they’re busy helping others, who’s there to help them address increasingly dangerous security gaps?
Experts gathered for an exclusive Dark Reading roundtable agree that approaches need to shift. Better incident reporting, technologies, training, and attention are among the measures needed to face a rising threat, they said, yet are skeptical that nonprofits have the resources to build those defenses.
Threat actors heavily target nonprofit organizations because they hold highly sensitive information, yet many operate with weaker security postures due to a lack of funds and skilled security professionals. However, it is difficult to measure the extent of incidents due to a lack of dependable data. (Read more in “The Data Gap: Why Nonprofit Cyber Incidents Go Underreported.”)
Nonprofits Are Critical Infrastructure
It’s unclear if a majority of organizations can implement all the practices they should to maintain strong security postures due to limited resources or because they don’t take security seriously enough, and it’s especially hard for nonprofits, stressed Wendy Nather, senior research initiatives director at 1Password.
But support is essential, she said, because “nonprofits are the other critical infrastructure” since they provide enormous aid to people in life-and-death situations.
“A lot of people depend on this, especially during natural disasters, so they hold a lot of important data,” Nather said. “Most of the industry doesn’t understand: Nonprofits are as critical as other parts of the industry, but they don’t have the attention, resources, and support that they need.”
Nather and Sightline Security CEO and founder Kelley Misata, Ph.D., are among four Sightline Security advisory board members who attended the roundtable with Dark Reading, alongside Dave Lewis, global advisory CISO at 1Password, and Noma Security CISO Diana Kelley. Board member Tony Welz, principal and co-founder of W2 Communications, moderated the panel by focusing on the challenges nonprofits face, how vendors and peers both help and hinder the problem, and ways nonprofits can raise security standards.
‘Too Much Security Can be Onerous’
One burgeoning challenge is how can nonprofits keep pace with emerging, advanced technology when they haven’t even mastered the basics. Cue artificial intelligence (AI), which even the more mature organizations struggle to implement securely.
Nonprofits are conditioned to look at tools like Claude.ai and check whether they offer nonprofit pricing, explained Misata. However, as a security professional, that sets off alarm bells. The discounts may be good, but the risks could be even greater. The free versions of many of these tools can tap the user’s data to train models and compromise the information.
Implementing those tools presents lots of unknowns and nonprofits aren’t asking the right questions: Do I need that tool? Is it secure? Therefore, it’s not fixing the security problem, Misata added.
“Where we’re seeing challenges is: They love all these solutions, particularly all these sexy ones like the AI tools, but they don’t know from a security standpoint what they need,” she said. “They’re just looking at the flavor of the day.”
If they don’t have the people and expertise to run those tools, giving nonprofits free stuff is not going to help, echoed Nather. For example, they need people to watch the log monitoring, a critical component of strong security.
Even if vendors and peers give nonprofits too much money, that can be just as overwhelming as new technology, said Kelley. She warned that approaches need to be taken carefully. While “too much security can be onerous and not as useful for them,” rushing into new technologies “can lead to adopting things in a way that’s not entirely secure,” she said.
The Human Element
Like everything cybersecurity-related, the human element poses another obstacle. Many people in the industry don’t help nonprofits simply because it’s not in their best financial interest, and many nonprofits can’t afford security talent who can earn a higher salary at a private shop across the street, said Lewis.
Financial concerns compounded especially in the past year due to the economic realities that many industries are facing. They don’t have the funds available to do as much philanthropic work, and that’s having a knock-down effect for nonprofits, added Lewis.
When allocations shift and donors aren’t giving as much throughout the year, nonprofits become distracted looking for new fundraising models. That bites into any security upgrades.
“Having to fill in the gaps of funding that are drying up, that’s making them desperate. That’s making them scared. That’s making them distracted,” Misata said. “So they’re going to struggle with keeping on top of security that’s already new and challenging for them.”
Kelley has observed a similar trend where some large security vendors “will on purpose ignore nonprofits” because they don’t have the kind of money that for-profits have to spend. That trend was common across the roundtable.
“Too often, even as human beings, we will go into a nonprofit with a paradigm of ‘you’re poor, you’re less than,’ bucketing all nonprofits into a one-size-fits-all mentality,” Misata said. “When you’re looking through the lens of security, that can be really dangerous.”
Instead, it’s vital to look at them as a business — an important lesson Misata and others on the panel said they have learned. Seeing nonprofits as a business is shifting the conversation, she added.
Check Your Security Ego at the Door
The panelists continually stress how important it is to recognize that nonprofits don’t fit into one bucket; they comprise different sectors, from healthcare to finance, have different missions, and operate with different risk profiles. That translates to different threat landscapes, business models, and customer bases.
“You’ve got to be able to sit with organizations and connect and understand them,” Misata said.
Though panelists agree that many large enterprises ignore nonprofits’ struggles, some do dedicate philanthropic efforts to support them. Kelley, a former Microsoft chief technology officer, highlights that company as one example.
“My message to nonprofits: Find the companies that do this,” Kelley said.
When companies do help nonprofits decide what their security priority is, they can often act on it quickly, said Nather. If nonprofits decide something is important enough, they can do ahead and do it, she added.
But security professionals must approach nonprofits with a different perspective, leaving the “security is the most important” mindset behind. Many business imperatives come way before security for any organization, and it’s the same with nonprofits; their mission comes first, Nather said.
“We might said, ‘I can’t believe you’re using SMS for two-factor authentication. How can you do that?'” Nather said. “Meanwhile, someone is freezing to death on the street corner. You’ve got to have the right perspective when you’re working with critical infrastructure like nonprofits.”
