Another Mission Critical For Nonprofits: Better Cybersecurity

In 2016, some supporters of the National Abortion Access Bowl-a-Thon received emails containing pictures of fetuses. Around the same time, a distributed denial of service attack (which is an attempt to disrupt normal traffic of a targeted server, service or network by overwhelming it with a flood of Internet traffic) took down the group’s online fundraiser. The event also received nearly $66 billion in fraudulent donations. Online hackers perpetrated all of these actions.

Organizations serving marginalized communities are particularly vulnerable to these kinds of cybersecurity hacks – and yet these organizations, often non-profits, usually aren’t the ones we think of when we conjure traditional images of who cybersecurity is for. More often, we picture cybersecurity as government computer scientists guarding critical intelligence data from nefarious foreign hackers, or an engineer protecting a large bank from financial fraud.

Imagine, instead, a nonprofit animal shelter’s Facebook page being hacked and the page being used to direct users to a fraudulent GoFundMe site. Or imagine a white supremacist organization gaining access to the personally identifiable information of clients and volunteers of an immigration advocacy non-profit. Or imagine a housing rights organization employee who fell victim to a phishing or malware attack, and exposed the financial data of clients who were already in precarious financial states.

Critically, these institutions often don’t think of themselves as targets of hackers, which means they aren’t thinking deeply about how to protect themselves; instead, the employees and volunteers are focused on accomplishing the mission, serving the community, and making change.

While it’s understandable, this cybersecurity blindspot can be dangerous. The impact of any breach could have far-reaching implications for those vulnerable populations served by nonprofits -- groups of people who are already at risk for higher levels of online abuse and insecurity. To effectively provide services that lead to social change, community-based organizations must develop and implement cybersecurity practices to protect the communities that they serve.

The impact of any breach could have far-reaching implications for those vulnerable populations served by nonprofits -- groups of people who are already at risk for higher levels of online abuse and insecurity.

Since the question of how best to implement cybersecurity can overwhelm large corporations with established information technology departments, it’s understandable that smaller community-based organizations would also lack clarity on how to ensure their operations -- and their clients, volunteers, and employees -- stay safe. While having a dedicated cybersecurity specialist on staff may not be possible for most community-based organizations, there are actions these organizations can take as they build capacity.

1. Educate all employees and volunteers, at least semi-annually, on cybersecurity, including the basics of phishing, malware, and social engineering. The National Initiative for Cybersecurity Careers and Studies and the Federal Trade Commission have free cybersecurity awareness materials you can quickly use with your employees. For a broader education, NTEN, an organization of nonprofit technology professionals, offers an IT Security Fundamentals course.
2. Utilize best practices for securing online accounts, including using two-factor authentication and a password manager (and explaining what these things are, and why they’re important, during cybersecurity trainings).
3. Maintain secure systems by installing security software and setting them up so that they update automatically (rather than relying on users to do so), as well as regularly backing up files offline.
4. Practice good mobile security -- encouraging employees to not use public wifi when they’re on an employer’s computer, or connecting to public wifi through a Virtual Private Network (VPN).

These actions represent the first line of defense for non-profits, but most organizations will need to continuously innovate their practices in a world where cyber attack methods are constantly evolving. This is even more challenging because there are few people that nonprofit employees and employers can turn to for advice and guidance: There’s a already a shortfall of cybersecurity professionals generally, and even fewer professionals who understand the unique challenges of the civil rights and social justice space. The perspective of those in civil rights and social justice work, as well as members of underrepresented groups, is essential for working on behalf of vulnerable communities -- , and yet another reason why it’s crucial for the cybersecurity workforce to become more diverse.