Why Nonprofits Are Being Targeted by Cyberattacks — and What You Can Do About It

Cybercriminals are no longer just targeting big corporations. Nonprofits are now one of the most vulnerable and frequently attacked sectors. But why? And what can your organization do to stay protected — especially with limited resources?

Recent studies confirm the growing threat — and show just how critical it is for nonprofits to take action now.

What the Data Says

• According to The Modern Nonprofit, 70% of nonprofits lack a cybersecurity policy, and 60% have already experienced an attack

• Microsoft’s 2021 Digital Defense Report revealed that nonprofits were the second most-targeted sector by nation-state actors — accounting for 31% of notifications

• A 2023 study by the CyberPeace Institute found that 41% of Geneva-based nonprofits had experienced a cyberattack

• Globally, 27% of nonprofits have reported cyber incidents, according to the 2023 Nonprofit Tech for Good Report

Why Are Nonprofits Targeted?

• Valuable data: Donor info, beneficiary records, and financial accounts

• Limited IT budgets: Outdated systems, no full-time cybersecurity staff

• Lack of training: Many nonprofits don’t provide regular cybersecurity training for staff or volunteers

Even if you’re not a high-profile organization, attackers assume you have just enough data — and not enough defenses.

5 Steps Nonprofits Can Take Right Now

1. Train Your People

   Most breaches start with human error. Train staff and volunteers to spot phishing emails and malicious website links, repel social engineering attacks, use strong passwords, and enable MFA.

2. Back Up Your Data Offsite

   Keep encrypted backups in a secure, cloud-based or offline location. Ransomware attacks can cripple operations if you don’t have backups.

3. Update and Patch Everything

   Outdated software and plugins are a common attack path. Schedule regular updates and remove unused tools.

4. Appoint a Cyber Point Person

   Even without IT staff, assign someone to own cybersecurity basics — with some light training and external support.

5. Ask for Help

   Don’t wait until something breaks. Take advantage of free programs like CYBERRISKED’s Cyber Safety Office Hours for Nonprofits. We offer 30-minute private consults to help you assess risk, ask questions, and build confidence. And if your situation warrants, me may be able to offer you more help as part of our Giving Back Program.

Our Final Thought

Cybersecurity may feel technical and difficult — but it’s really not if you have the right training and it's ultimately about protecting your mission. And for nonprofits, that mission is too important to leave exposed. If you serve your community, we’re here to help you protect yours. We encourage you to book a free, private consultation as part of our Cyber Safety Office Hours Program. Bring your questions — we’ll bring clarity and next steps. Book a Free Session →

Supporting Sources

• CyberPeace Institute – “Cyber Poor, Target Rich” (2023)

• Microsoft Digital Defense Report (2021)

• The Modern Nonprofit – Cybersecurity Gaps

• OSI Beyond – Nonprofit Cyber Trends