In recent years, ransomware attacks have become a major threat to organizations of all types, including nonprofits. In fact, for cybercriminals, nonprofits make for especially vulnerable and enticing targets right now due to the true most common cybersecurity vulnerabilities, which are broader than any specific technical vulnerability, and include:
- less hardened security postures
- less ability to rely on experienced security professionals
- lower levels of resources for defense.
The truth is that most organizations, whether for-profit, nonprofit, or even governmental, don’t have endless resources for cybersecurity. Nonprofits are often the most under-resourced.
But just as for any organization, cyber attacks have devastating consequences for nonprofits, including loss of data, reputational damage, and financial loss – any of which can quickly become existential risks for a nonprofits, which have fewer financial and reputational resources than well-heeled corporate, governmental, or even small business targets.
In this article, we’ll discuss the dangers of ransomware attacks on nonprofits and how they can mitigate the risks through hardened security measures and through the cyber insurance market.
The dangers of ransomware attacks on nonprofits
Nonprofits are particularly vulnerable to ransomware attacks due to their limited budgets and resources. Many nonprofits operate on a shoestring budget, and they often lack the expertise and resources to implement robust cybersecurity measures. Additionally, nonprofits often rely heavily on volunteers, who may not have the same level of security awareness as the full-time, continually trained employees of a corporate or governmental entity.
When a nonprofit is hit by a ransomware attack, the organization may lose access to critical data such as donor information, financial records, program data, and often complete loss of access to computer systems, since criminals typically lock down entire systems when they’re able to. In addition, the attackers may also steal data and hold it as ransom itself. Beyond simple delays in program delivery to constituents counting on help, and beyond the loss of donations and other revenue, these disruptions have the potential to destroy a nonprofit in a matter of weeks or even days.
In addition to the immediate operational and financial impact of a ransomware attack, nonprofits may also suffer extreme reputational damage. Donors and other stakeholders may lose trust in the organization if they see that the organization was unable to take adequate measures to protect against a cyberattack. The desire to run from an organization is even more pronounced when donors understand that some of their personal or financial data may have been compromised. This can lead to a loss of funding and support, which can have immediate and long-term consequences for mission focus and sustainability of the organization.
Immediate best practices for NGO and nonprofit cybersecurity
The best mitigation or recovery is prevention, and despite some hackers’ high levels of skill, most cyber security events are low-tech attacks that can be easily prevented with tools and practices that are low cost or no-cost.
These are not a comprehensive security plan, but they are a solid, must-do list of best practices that can prevent many common cyber attacks. They’re drawn from the the U.S. Cybersecurity and Infrastructure Security Agency.
1. Use Multifactor Authentication
It’s known by many names: 2-Factor Authentication, MFA, 2FA, and it means basically one thing: Instead of your systems asking you for just a password, they ask you for two forms of authentication, usually a password and a temporary code sent to your phone or other device. There are other methods beyond sending temporary codes to devices, but that’s the place to start if you don’t yet have multifactor authentication in place.
2. Automatically update all software
Update your software every time an update is offered. If automatic updates are possible, enable them in settings. Any time a reputable software company becomes aware of a security vulnerability, it issues a patch. Also, in general updates, highly important security patches can be included, even when not prominently announced.
3. Educate your people to exercise extreme caution before clicking on links or attachments
Phishing techniques are very common in successful cyberattacks. A criminal entices a user to click on an infected link or open an infected attachment, purportedly coming from a trusted source.
4. Use strong passwords together with a secure password manager
Ensure that all passwords are strong passwords. Nicknames, pets’ names, even any actual word followed by some numerals, etc., are extremely dangerous as passwords because computer programs used by criminals can in many cases easily guess or brute force their way into discovering them.
Some users may at first feel that strong passwords are an extreme inconvenience, but with a password manager, they can be almost as convenient as using a pet’s name – and infinitely more convenient than dealing with a cyber attack enabled by a weak password.
5. Stay on top of cyber alert news about specific and trending attack methods
Cyber criminals are diabolically creative, in both their socially engineered attacks and their technical attacks. It pays to know what kind of attacks are trending, so that you can better prepare your team to repulse them. It’s easy to set an alert for specific keywords in Google News or other news readers.
To emphasize: These basic best practices are necessary, but not sufficient. Other more sophisticated system-wide measures are also needed to adequately protect against cyber attacks, but are beyond the scope of this article.
How insurance can help mitigate the risks of ransomware attacks
Given the risks associated with ransomware attacks, it is essential that nonprofits take steps to protect themselves. Actually “locking the doors and windows,” in other words taking concrete security measures as mentioned in the section above, is a critical step.
But even organizations with the most hardened security are not 100% secure, as we’ve seen with recent data leaks from the highest levels of the U.S. government. Just as with a home, you can take every measure to protect it, but a criminal or accident of nature may still damage it.
That’s why cyber insurance is crucial. Cyber insurance policies can provide a range of benefits, including:
Financial protection: In the event of a ransomware attack, a cyber insurance policy can provide financial protection to cover some or all the costs associated with the attack, depending on the policy.
Incident response: Many cyber insurance policies offer templates, necessary to qualify, of incident response services, which can help nonprofits respond quickly and effectively to a ransomware attack. These services may include forensic investigations, legal advice, and public relations support.
Risk management: Cyber insurance policies can also help nonprofits improve their cybersecurity posture by providing access to risk management resources. This may include cybersecurity assessments, employee training, and other tools to help prevent ransomware attacks from occurring in the first place. The right risk management strategies can also help nonprofits lower their average cost of cyber insurance over the years, as they prove themselves responsible and capable of reducing their risks of cyberattacks.
When selecting a cyber insurance policy, it is important for nonprofits to choose a policy that is tailored to their specific needs. This may include considering factors such as the size of the organization, the types of data it stores, and the level of risk associated with its operations.
Ransomware attacks pose a significant threat to nonprofits, with the potential to cause significant financial and reputational damage. However, by taking steps to protect themselves and investing in cyber insurance, nonprofits can mitigate the risks associated with these attacks. With the right policies and procedures in place, nonprofits can continue to deliver critical services to their communities while protecting their data and operations from harm. Finally, cyber insurance provides not only financial support but expert resources if and when an incident occurs.
About the Author:
Doug Kreitzberg– Founder & CEO of SeedPod Cyber
As CEO of USI Affinity and Programs (2004-2018), Doug led affinity business development, marketing and program businesses, including professional liability, commercial property & casualty, personal lines and life and disability Programs. In 2018, Doug founded a cybersecurity and data privacy risk consulting firm. It was through his consulting practice that he learned the value that Managed Service Providers bring to small and medium sized businesses. That insight formed the basis for SeedPod Cyber, a cyber insurance managing general agency Kreitzberg founded in 2021 which partners with Managed Service Providers to provide cyber insurance to their clients.