What’s Happening in Nonprofit Cybersecurity?

According to the report, 2024 saw a slight slowdown in reported cybersecurity incidents, but unfortunately, the overall rate remains high. Nearly 500 suspected account compromises were flagged, though confirmed cases dropped by 27%. Wire fraud incidents also decreased, thanks to better staff training and stricter financial controls. Still, every wire fraud case involved an internal compromised account – a reminder that vigilance is essential.

Training Makes a Difference

In positive news, security awareness training adoption grew by 20%, with more organizations rolling out formal programs. This investment is paying off, as improved email security tools and requirements are reducing phishing and account compromise rates.

Multi-Factor Authentication (MFA): Progress and Gaps

Stronger MFA methods — like physical security keys and advanced authentication tools — are being deployed for high-risk roles. However, universal adoption is still lagging, leaving some organizations exposed to advanced threats like AI-powered phishing and Attacker-in-the-Middle (AitM) attacks that can bypass MFA.

Emerging Threats to Watch

Nonprofits need to keep their eyes on the following new cyber-attack strategies:

• AI-powered phishing: Attackers use artificial intelligence to craft convincing scams.
• Attacker-in-the-Middle (AitM): Also known as Man-in-the-Middle, or MITM, these attacks can circumvent MFA protections.
• Pastejacking & Malicious App Registration: New techniques for stealing credentials.
• Shadow IT: Staff using unauthorized tools, especially AI, without proper policies.
• Personal Attacks (Doxxing): Targeting nonprofit staff for their mission-driven work.

 2024 Incident Data at a Glance

Year-over-Year Changes

The following shows the changes in types of attacks from 2023 to 2024.

Building a Resilient Cybersecurity Posture: Urgent Recommendations

As you can see, the cybersecurity threat landscape continues to shift dramatically from year to year, presenting new challenges and opportunities for nonprofits. Understanding these year-over-year changes is essential for developing an effective and resilient security strategy.

Here are some of the critical steps they suggest you take now:

1. Executive Ownership & Written Policies:
   Assign clear executive responsibility for cybersecurity.
2. Maintain and enforce key policies (IT use, incident response, AI use, disaster recovery, data retention).
3. Security Awareness Training:
   Provide regular, mandatory cybersecurity awareness training for all staff to recognize and report phishing, scams, and suspicious activity.
4. Multi-Factor Authentication (MFA):
   Require MFA for all accounts. Use physical security keys (like the YubiKey device) for sensitive roles.
5. Technical Controls:
   Use password managers, spam/phishing filters, antivirus, and keep all systems updated. Schedule and test backups regularly.
6. Incident Response:
   Maintain and update an Incident Response Plan. Encourage a culture of reporting anything unusual.
7. Cyber Insurance:
   Maintain and review cyber insurance coverage to ensure it meets current risks and compliance requirements.

Nonprofits: Stay Vigilant!

Nonprofits face a chaotic and evolving threat landscape. While some attack types are declining, email-based threats and targeted scams remain prevalent. The foundation for effective cybersecurity is clear: strong policies, regular training, robust authentication, and executive-level commitment.

By following these urgent recommendations, nonprofits can build resilience and better protect their mission, staff, and stakeholders.

For forty-two years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website or send us a message!