In my previous post, I suggested that cybersecurity in philanthropy is less about technology and more about stewardship. That idea becomes clearer when we examine how foundations actually operate.

Foundations have a cyber risk profile that differs in important ways from corporations, universities, or government agencies. The differences are subtle, but significant.

Small Teams, High Influence

Most foundations operate with lean internal staff. Even large institutions may have technology teams of only a few people — sometimes just one. Yet the scope of influence can be vast. Foundations fund research, shape public policy discussions, support advocacy organizations, and operate globally. Their digital footprint — email systems, grant management platforms, collaboration tools — carries information that has strategic, financial, and sometimes political implications.

This combination — small internal capacity and high external influence — creates asymmetry. There may be limited internal security depth protecting information that is consequential beyond the organization itself.

Highly Relational Work

Philanthropy runs on relationships.

Program officers exchange candid emails with grantees. Board members debate strategy. Staff assess early-stage ideas that are not yet public. Sensitive conversations occur daily — not because anything improper is happening, but because thoughtful work often requires discretion.

That relational model introduces a different kind of vulnerability. Executive impersonation, business email compromise, and social engineering attacks are especially effective in environments where trust is assumed. Attackers do not need to break through technical defenses if they can manipulate human ones.

In foundations, cyber risk is often social before it is technical.

Discretion and Sensitivity

Foundations frequently support work that is innovative, controversial, or politically sensitive. They may fund early research, policy initiatives, or international programs in complex regions. Exposure of internal deliberations — even without malicious intent — can have consequences. Context matters. Draft proposals, exploratory conversations, and strategic shifts can be misinterpreted if released prematurely.

Unlike a retailer or manufacturer, a foundation’s risk is not primarily transactional. It is contextual.

Vendor and Ecosystem Complexity

Modern foundations rely heavily on third-party platforms: grant management systems, cloud collaboration tools, financial systems, communications vendors, and consultants. Each vendor expands capability — and expands exposure.

Vendor risk is not unique to philanthropy, but in smaller organizations the oversight of those relationships is often informal. Security questionnaires may be brief. Contracts may not fully address data governance. The assumption of goodwill can replace structured review. Over time, this creates an ecosystem where risk is distributed across partners — but responsibility remains internal.

Cultural Modesty Around Infrastructure

Perhaps most uniquely, foundations are mission-driven organizations. Resources are intended to flow outward. There can be understandable hesitation to invest heavily in internal systems.

Technology is sometimes viewed as overhead rather than mission enablement. Security spending can feel defensive rather than impactful. Yet digital resilience is increasingly inseparable from mission continuity. A ransomware event that halts grant payments or exposes confidential discussions directly affects program outcomes. The tension is real — but it must be managed consciously.

My Final Thoughts

None of these characteristics mean foundations are careless. On the contrary, most I have worked with are thoughtful and responsible institutions. But their structure and culture create a distinct cyber risk profile that deserves equally distinct attention. The goal is not to turn foundations into security operations centers. It is to align governance, culture, and technology so that digital risk is managed with the same care as financial stewardship.

In my next post, I will explore how boards and executive teams can discuss cybersecurity without becoming technologists — and how a small number of focused questions can significantly improve institutional resilience.

Because in philanthropy, protecting trust is not optional: It is foundational.

For over forty-two years, CGNET has provided state-of-the-art IT services to organizations of all sizes, across the globe. We’ve done it all, from IT and cybersecurity assessments to cloud services management to generative AI user training. Want to learn more about who we are and how we might be able to help you? If so, check out our website