A CISO’s never-ending quest to secure cyber funding from senior management often becomes a matter of prioritization. Does the organization prefer to grow its SOC team and perhaps purchase a new IAM platform? Or does it instead want to allocate the majority of its budget toward other business objectives, such as marketing and and innovation?
If you think that’s a tough call, now imagine you’re a nonprofit organization or charity and you have to decide how to divvy up funds between badly needed cyber investments and fulfilling your core mission, which is providing desperately needed resources to people in need.
It’s easy to always lean toward the mission, but if you ignore cyber risk for too long, then your organization could fall victim to an attack that altogether disrupts your services — harming many in the process. After all, for many unethical cybercriminals, nonprofits are fair game. Indeed, a March 2021 report from the U.K.’s Department for Digital, Culture, Media and Sport revealed that 26% of charities experienced a cyber breach or attack in 2020, and there is no doubt a precedent of nonprofits such as food banks experiencing ransomware attacks and other data security incidents.
With this conundrum in mind, a pair of nonprofit cyber organizations have recently announced their latest partnerships and endeavors to provide free services that can help their fellow nonprofits establish IT security best practices and more effectively protect their data and systems.
On Thursday, Boston-based Sightline Security announced that its brand-new partner, network security giant Cisco Systems, has created a new private communications channel through which Sightline’s approximately 30 nonprofit members can share their security stories, discuss and assess vendor products, and more. Just a day earlier, Toronto-based Hackers for Change revealed its own new partnership with AppSec company Detectify, which will be providing nonprofits its web application scanner for free.
A forgotten sector
Launched in 2018, Sightline was founded by CEO Kelley Misata, who also serves as executive director of The Open Information Security Foundation, a nonprofit with a mission to build open-source security technologies. A marketer, researcher and business strategist, Misata detoured into cybersecurity after enduring years of cyberstalking and discovering that nonprofits were ill-prepared to help her. This inspired her to develop an expertise in nonprofits’ own security preparedness.
Misata’s belief that nonprofits represent a somewhat forgotten sector that’s been overlooked by the cybersecurity community, which she says often assumes charities have little appetite for improving their cyber defenses.
“I would argue that nonprofits are ‘the other critical infrastructure,’ because of how much nonprofits ensure that people have a roof over their heads and have mental health support and have food on the table,” said Misata. “And we need to start weaving them into this conversation and not just sort of putting them in the corner and saying they can't afford us.”
Time is of the essence for many of these charities, even if they don’t know it yet. Misata said that Sightline has already seen and documented within its own member community ransomware incidents that connected to the recent Blackbaud breach and the wave of SamSam encryptor attacks. “And, these attacks actually affect kids being fed and communities being served,” she noted.
Sightline’s primary offering is an assessment test that nonprofits can take to discover their highest areas of risk. A Sightline expert — often Misata herself — will analyze the member’s results and help recommend a plan to address these areas. Through the organization’s member forum — hosted in collaboration with the Global Cyber Alliance — nonprofits can then visit a “partner marketplace” to learn of relevant offerings from information security vendors, browse through curated news and information, or use the new private discussion space from Cisco to engage in dialogue with other nonprofits and share threat intel, with no vendor input or influence whatsoever.
Wendy Nather, a member of Sightline’s advisory group and head of advisory CISOs at Cisco, stressed the importance of the member charities having their own place to conduct a private chat. “For any group that's trying to share security information, they need a place to find each other — a place to build trust and to share what could be [sensitive] information, especially if they fell victim to something,” she said.
Providing services and training
Meanwhile, Hackers for Change provides charities with its own set of donated cybersecurity services, at no cost, while also endeavoring to increase Canada’s infosec and ethical hacking workforce through training and education opportunities. The latest tool, Detectify’s scanner, will help user organizations identify and prioritize vulnerabilities in their custom-built web apps, and then patch them before they can be exploited.
Through other solutions partners, Hackers for Change also offer security awareness training, penetration testing and a dark web credentials monitoring service. Senior security practitioners volunteer their time to providing the training and pentesting, and allow up-and-coming junior professionals to assist and learn on the job.
"Charities and nonprofits are increasingly becoming the product of cybersecurity attacks and can't afford $10,000 a week for cybersecurity consulting," said Manny Mand, CEO of Hackers for Change. "Using our volunteer ecosystem, we execute free cybersecurity services for charities and nonprofits... with the hope of securing their organizations and, in return, rendering that experience for our our junior consultants who can then take that experience and use that to get a job in the industry."
Cyber posture or mission?
As noted earlier, one of the biggest challenges is convincing charities that dedicating some of their energy and funding toward bolstering their cyber posture actually helps their objectives in the long run, as opposed to impeding them.
“One of the things that makes the nonprofit space so interesting and unique is that they are fiercely dedicated to their missions. If you gave them a choice of ‘Give somebody a bed to sleep in versus secure a database,’ they're going to give somebody a bed to sleep in, always,” said Misata.
“I think it's the same as a lot of business calculations,” added Nather. “Especially if you're bootstrapping a business and you have to decide where to spend your small amount of money, you're going to prioritize whatever gets you to your mission and goals. And like with all kinds of risk, including cybersecurity risk, any business person is going to try to put off investing in things that might not happen until they actually are about to [happen].”
“And we can't fault them for that, and we shouldn't change them in that regard,” Misata continued. “So what else can we do to help them be better secure? Well, it's up to us to figure it out.”
And so that means educating nonprofit leadership to look at cyber as something that actually helps their mission — “so that it is more about weaving [cyber] into their business, instead of security having to be something that they hire from the outside — that has to be a special project only once a year,” Misata explained. “Part of our work is helping them weave how security feeds into giving them the accessibility to give that person a bed to sleep in — by protecting the organization.”
Unique risks nonprofits face
That means communicating the unique risks that charities often face. Consider the fact that many of these organizations — whether they serve domestic violence victims or LGBTQ+ youth or homeless families — likely collect highly sensitive and private data on people whom they’re trying to help. It is well within everyone’s interest to keep such information safe and private.
And it’s not just charity recipients who suffer when a data breach occurs. Financial contributors are also endangered. For instance, “we’re seeing nonprofits being spoofed to some of their donors… to get into the systems of their donors,” said Misata. So when a breach happens, “it puts the trust of that organization at risk in their community and [among] their donors.”
Other organizations may even attract more elaborate cyber espionage, noted Rickard Carlsson, co-founder and CEO of Detectify. These include "the type of charities and/or nonprofit that might be handling things related to democracies in other countries, or people that are fighting international regimes," he said. In these case, "you start to see almost a very advanced attacks towards these organizations, where the level of security needed might actually be very high."
“They need to understand the probabilities” of an attack, explained Nather. “Sometimes it's a matter of hearing about another nonprofit that was hit by ransomware and thinking, ‘Oh, this is a lot more probable than we thought. We'd better do something now. So part of that is helping them decide for themselves when the time is right.”
Still, it’s not as if all nonprofits have an aversion to spending on cybersecurity or are oblivious to the risks out there. Some are very much willing to spend, and “many of them understand that data is a valued asset in their organization,” said Misata. However, in many cases, they “just don't know how to protect it. Or, they may rely too heavily on outsourcing security third-party service providers “because they need to be able to make their business operations efficient, but they don't understand the risks around it.”
That’s where offering complementary expertise and adversary services, assessment tools, vulnerabilities and other solutions can help provide even more direction.
It may not result in perfect cyber posture, "but they're definitely a lot better than they were prior to us getting involved, for sure," said Mand.