Joy O’Neal discovered her Alabama-based nonprofit, the Red Barn, had been hacked when her brother called her on an early morning in April 2015. Instead of displaying information about its equine-therapy programs for youth or its upcoming fundraising event, the nonprofit’s website showed an image of a man holding a large gun. Alongside it was text from “Islamic State Hackers” calling for “Freedom For Palestine And All Muslims.”
“My heart just sunk because I didn’t even know what to do with this,” she says.
While there is no comprehensive data on how many nonprofits have fallen victim to cyberattacks in recent years, the Red Barn is far from alone. The latest data from the FBI found cybercrime complaints filed by all organizations and individuals more than doubled from 2018 to 2022 and, over the past five years, $27.6 billion was lost to cybercrimes. Recent major hacks of nonprofits include the Jewish Federation of Greater Washington and Save the Children, which lost $7.5 million and nearly $1 million respectively.
Cybersecurity experts say nonprofits are just as vulnerable to attacks as for-profit companies and government institutions, particularly because many nonprofits don’t dedicate resources to cybersecurity. But it doesn’t have to be that way, as the cost and time involved in protecting against cyberattacks — such as malware, phishing, and denial-of-service attacks — are relatively low, especially when compared to the price of recovering from them.
Amy Sample Ward, CEO of NTEN, a nonprofit assisting charitable organizations with technology, says their organization sees that many nonprofits still aren’t bolstering their security practices, for example, by using strong password management.
“Not seeing an improvement collectively as a sector in what we are proactively doing for security makes me feel nervous,” Ward says.
Nonprofit tech experts say it’s essential for organizations to train staff members on cybersecurity and to appoint a designated response team in case of an attack.
O’Neal’s experience opened her eyes to this need. She and her team at Red Barn have put in place several simple protections to avoid a repeat attack.
“I think the most important thing to do is invest some time and some money into your cybersecurity no matter how small you are,” says Shannon Horsley, office manager at Red Barn.
Nonprofits at Risk
Michael Enos, senior director of community and platform at TechSoup, which has provided technology support and tools to nonprofits since 1987, agrees it’s imperative for organizations to develop a cybersecurity plan.
Enos says the most common cyberattack is when hackers disguise who they are to persuade people to hand over sensitive data. Phishing scams, in which seemingly legitimate businesses or individuals use emails, text messages, or other communication methods to trick users into divulging sensitive data or downloading malware, have been the top reported cybercrime since 2019, according to FBI data.
Jim O’Keefe, an IT security architect and engineer at Tech Impact, a nonprofit that provides technology services to other charities, says that phishing attempts in the past were easier to catch because those emails often had misspellings and poor English, but that’s no longer always the case.
“Phishing attacks are getting much more advanced,” he says. “You don’t want to click on a link that you’re not expecting.”
The second most common vulnerability nonprofits are likely to see, Enos says, come from not adopting the latest security updates on websites and other systems. Outdated software is more likely to have vulnerabilities that can be exploited by attackers using ransomware, a form of malicious software that locks up data and holds it for ransom, according to the cybersecurity company Cloudflare.
Experts say all nonprofits regardless of size should develop a plan to deal with cyberattacks.
As part of those plans, Afua Bruce, principal of the consulting firm ANB Advisory Group, says nonprofits should be prepared to notify their IT team and board of directors promptly in case of an attack. It’s important to loop in the board of directors, she says, because cyberattacks can significantly disrupt operations and affect a nonprofit’s reputation. Organizations should also do their best to contain the attack, such as by changing passwords or taking systems offline, she says.
“If you don’t have a cybersecurity response plan on the books,” she says, “as with most disaster response, it’s more chaotic, more frenetic. [You] make more mistakes in responding and will often take longer to respond as well.”
Cost of Hacks
Since the Red Barn didn’t have a plan ready, their response was rushed and inefficient. Hackers didn’t target the Red Barn directly. They went after the server hosting the website, which was created in 2012 by volunteers who had not registered the domain in the nonprofit’s name.
Without ownership of the domain or ways to contact those old volunteers, O’Neal had to reach out to the domain registry company, GoDaddy, to create a new website all over again. Because the hack was from a supposed Islamic State sympathizer, she and the company hosting the original website also reported the hack to the FBI.
Meanwhile, the Red Barn had a fundraising concert scheduled to start two weeks after the attack. O’Neal had to get the website online quickly to promote it, while also fielding calls from the nonprofit’s supporters who were concerned about the hack.
Those concerns got amplified when, a week before the fundraising event, news broke that a graduate of a nearby high school had joined the extremist militant group ISIS. Some parents of youth attending the Red Barn’s programs feared the two events were connected, despite O’Neal’s attempts to explain that wasn’t the case.
Ultimately, O’Neal says, the hack cost her nonprofit thousands of dollars. She had to pay for a new website, and online donations plummeted because donors feared their information would be stolen. The fundraising event also attracted far fewer attendees compared with the number of tickets sold.
Since then, the Red Barn has bolstered its cybersecurity. It now runs its website through Managed WordPress, a website hosting platform, which does regular backups and automatically makes security and maintenance updates. The nonprofit also uses multi-factor authentication, requiring additional information to log into online accounts, and spends about $277 annually on cybersecurity insurance.
Horsley, the office manager, says she has taught herself a lot more about key cybersecurity measures. She says if nonprofits don’t have a staff member who can do that work, they should turn to outside resources.
“Take advantage of the resources that are made available to you by your insurance company, or your payroll company, or any professional volunteers that you have who are in IT or cybersecurity,” she says.
O’Keefe says nonprofits shouldn’t let the cost of cybersecurity improvements deter them.
“The average cost to recover from a cybersecurity attack is in the multi-millions of dollars,” he says. “But to be prepared is much lower in cost.”
The global average cost of a data breach was $4.4 million in 2022, according to a report from IBM examining hacks involving companies, government entities, and nonprofits.
That’s a lesson O’Neal has learned herself.
“We didn’t think the cost of the high-level security was worth it, but now we do.”
