Small and medium-sized businesses (SMBs) are a more frequent target of cybercrime than large companies, a trend largely driven by their lack of security resources and expertise. Some SMBs are at greater risk than others: Nonprofit SMBs face a higher incidence of high and critical-severity cyberattacks compared to those in other sectors.
On the surface, the frequency of attacks targeting nonprofit SMBs may seem counterintuitive. There are clearly more lucrative targets for cybercriminals to pursue, and hitting large commercial targets is less likely to generate public outrage. Given the risk and presumably low payday, why is this sector seemingly painted with such a big bullseye?
Let’s examine five reasons why nonprofits are a common target and discuss how your organization can defend against potentially disastrous attacks.
1. Budget challenges lead to outdated PCs and operating systems and limited cybersecurity training
All businesses have financial constraints, but the pressure to keep costs down is especially intense for nonprofits, where money spent on operations is seen as money that can’t be used to support their mission. Nonprofits are reluctant to commit to overhead spending, and many donors hesitate to give money that would go toward costs not directly related to programs.
Unfortunately, cybersecurity protection often falls under “overhead spending.” Funding for security technology, or even for IT upgrades in general, is typically not a top priority. Many nonprofits, especially smaller organizations, lack adequate cybersecurity defenses as a result.
These defenses are essential because the cybersecurity threat landscape is constantly changing. Computers, operating systems and applications must be up-to-date to avoid exposing the environment to vulnerabilities that could put them at risk. Any connected equipment or software left unpatched gives an adversary an opportunity to access an organization.
According to the National Council of Nonprofits, 88% of America's 1.3 million charitable nonprofit organizations operate on an annual budget of $500,000 or less. Budget challenges affecting cybersecurity also affect general IT. Some nonprofits rely on PCs donated from businesses and individuals who no longer need them. This also affects staffing, as nonprofits often rely on volunteers to fill roles. Due to financial constraints, cybersecurity training is superficial — if it happens at all. This heightens their risk from common tactics such as phishing.
2. Nonprofits are a source of valuable data
Nonprofits appeal to adversaries not only because of their typically smaller security budgets, but because of the information they hold. Infiltrating a nonprofit’s server could lead adversaries to donors’ credit card and banking information, for example. Some nonprofits sell merchandise or services on their websites and store purchase-related information on their network. While they are typically smaller than major retailers and other for-profit companies, nonprofits present adversaries an opportunity to steal customer data they can use to achieve their goals — and possibly prove the adversary’s worth to larger, more prolific networks of hackers.
Financial data isn’t the only information at risk. Donors may include people or organizations whose status and/or resources make them potential targets. Access to their personal data may be a reason to attack a nonprofit. It’s also likely employee data is stored locally; this may include information such as Social Security numbers, home addresses, phone numbers and banking data. This data can end up sold on the dark web, leading to serious consequences such as identity theft, financial loss and impacted credit scores for affected employees.
3. Nonprofits may be targets due to the causes they represent
Not all cyberattacks aim for profit. Support for certain causes can make nonprofits a target for so-called “hacktivists” or even state-sponsored adversaries. The goal in these cases is often to disrupt the nonprofit and prevent it from accomplishing its mission.
A prime example of this occurred in the Russian invasion of Ukraine. In the leadup to this war, CrowdStrike tracked a significant increase in malware attacks against Ukrainian companies and media outlets. It has been reported humanitarian organizations providing aid to Ukrainian refugees and other non-government organizations (NGOs) have also come under cyberattack.
4. Nonprofits can provide access to larger targets through supply chain connections
Nonprofits are part of the supply chain. They likely have login credentials or online access to other companies they do business with; for example, those that supply products and services, process payments and handle financial operations.
This connection, combined with their weak security posture, means attackers may see a nonprofit as a stepping stone to a more lucrative target. They could gain access to the weaker network and use that connection to sneakily establish a foothold within a much larger and better-protected target.
How CrowdStrike Protects Nonprofits and SMBs
The message is clear: a nonprofit’s mission or charitable status doesn’t offer protection from cyberattacks. If anything, analysis shows these organizations are key targets and are attacked with alarming frequency. Even small nonprofits can be targeted — with devastating results.
Modern cybersecurity protection is not an option. It’s a must. Unfortunately, the traditional antivirus solutions often used by SMBs, including many nonprofits, are unable to keep up with the pace and complexity of today’s cyberattacks.
CrowdStrike Falcon® Go is specifically designed to protect SMBs in this ever-evolving threat landscape. Through AI-powered cybersecurity and an intuitive interface, users of all skill levels can quickly and easily deploy industry-leading protection to stop modern cyberattacks that legacy antivirus solutions often miss. Falcon Go secures nonprofits and other SMBs with cybersecurity that deploys quickly, verifies protection and stops adversaries from stealing data.
Multiple industry analysts recognize the AI-native CrowdStrike Falcon® XDR platform as a leading cybersecurity platform. It consistently tops third-party testing results, winning accolades such as the SE labs AAA Enterprise Advanced Security award, with 100% ransomware detection and prevention.
Nonprofits and SMBs should consult our free SMB cybersecurity resources, which include guides including the 2023 Small Business Toolkit, How to Create a Cybersecurity Budget and How to Create a Cybersecurity Awareness Training Program, among others. This isn’t the only way CrowdStrike is supporting SMBs: Nonprofits with fewer than 250 endpoints (laptops, computers, servers, smartphones and other devices on its network) can apply for pro bono security software and services, including free access to the industry-leading Falcon platform.
Additional Resources
- Explore CrowdStrike’s small business bundles.
- Learn how the powerful CrowdStrike Falcon platform provides comprehensive protection across your organization, workers and data, wherever they are located.
- Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent™.
- Download CrowdStrike’s Small Business Cybersecurity Survival Guide to learn how to identify threats and stop them — even with limited resources.