Q&A: Safeguarding nonprofits’ cyber resilience

Between July 2020 and June 2022, the CyberPeace Institute recorded 157 cases of cyber incidents impacting nonprofits. The cyberattack against the International Committee of the Red Cross earlier this year raised particular concern within the humanitarian and development community when servers containing personal data belonging to more than 515,000 people globally were hacked.

“Nonprofits are facing unique cybersecurity threats for a couple of reasons,” explained Chris Niggel, the regional chief security officer for the Americas at Okta, an identity and access management company. “Hackers not only attack for financial gain, but also political reasons. In addition, these organizations are often financially constrained when it comes to investing in information security, which makes them easier targets.”

But there are several solutions at hand. Just by deploying so-called multifactor authentication — meaning a user needs to present two or more pieces of evidence of authentication before accessing a system — 99.9% of all attack attempts can be blocked, according to Microsoft. Despite these benefits, Niggel said that “everyone, not only nonprofits, is still bad at using these tools.”

In addition to offering services including multifactor authentication, Okta recently launched an Information Sharing and Analysis Center in partnership with nonprofit consortium NetHope and the U.S. Agency for International Development, to help humanitarian organizations respond to cyber threats. “It provides a platform where the organizations can share threat and risk information to help protect the entire industry,” Niggel said.

Speaking to Devex, Niggel elaborated on the challenges nonprofits are facing when it comes to cyber security and how Okta is working with organizations to overcome them.

This conversation has been edited for length and clarity.

Can you give an overview of the cybersecurity landscape for nonprofits?

Nonprofits and private companies alike are targeted by attackers who wish to disrupt their business for financial gain. Typically this comes in the form of encrypting or stealing employee or customer personal data, holding it for ransom, and threatening release if it’s not paid. Nonprofits also have to contend with additional threat actors that are politically motivated, commonly called hacktivists, and in some cases, state-sponsored attackers, who disagree with the nonprofit's mission, or are trying to leverage the connections an organization has with other governments.

Nonprofits are also typically more resource-constrained than private companies, as funding may be tied to specific goals or objectives, limiting what is available for operational and information security. Nonprofits are therefore more likely to be using older technologies which makes them easier targets. This results in a large resource disparity between most nonprofits and these more capable sets of attackers, and thus, when an organization suffers a compromise, it has an outsized impact on the mission.

How is Okta working with nonprofits to address these issues?

We are working with nonprofits on updating their infrastructure, as getting funding to spend on technical infrastructure and tooling can be very challenging for these types of organizations.

Okta works with other companies to provide modern, cloud-based tools at an affordable price. By moving organizations away from on-premise tools to cloud-based technologies, we enable them to improve their security posture significantly by using the same cloud services that are trusted by some of the largest corporations worldwide. There is a common misperception among organizations that using cloud services is a less safe option to store data due to lack of physical control — but it’s actually the other way around.

Second, we provide a discounted service to help nonprofits gain control over access control to these cloud resources. Deploying multifactor authentication, or MFA, blocks over 99.9% of account-compromising attacks, yet most organizations struggle with deployment.

Finally, to assist organizations to make these security improvements, Okta offers pro bono professional services to help organizations set up their cloud services securely.

Can you tell us more about the Information Sharing and Analysis Center Okta launched with NetHope and USAID to help humanitarian organizations respond to cyber threats?

Intelligence sharing within information security can be very challenging. Organizations are often reluctant to share data about the attacks they are seeing, as in many cases they are concerned that the information could be used to attack them. These Information Sharing and Analysis Centers, or ISACs, form a safe space where organizations in the same industry can confidentially share threat and risk information to help protect the entire industry. ISACs started in regulated industries such as financial and health care, but until now, there has not been one tuned to the unique threats seen by nonprofits. With NetHope and USAID, we are hoping to change that.

Okta’s role in this is to help provide funding to organizations to build this ISAC, as well as to provide grants that are not tied directly to the mission of that nonprofit. Grants and donations are typically aligned with the mission; in fact, per a report from the Center for Effective Philanthropy, only about 20% of nonprofit funding in the U.S is unrestricted. This makes funding overhead and security challenging and opens the opportunity for the private sector to step up and provide these unrestricted grants that can be used to improve infrastructure.

What do you think needs to happen to prevent these types of attacks and improve nonprofits’ cyber resilience?

As a software and service industry, we need to find methods that will close the resource gap between nonprofits and well-funded attackers. Security tools need to run well across different platforms and work together. Programs such as the Open Cybersecurity Schema Framework, which we are working on with several other organizations, can help make that happen.

When it comes to ransomware, in particular, the long-term solutions are more around steps that need to be taken by regulators. The challenge is that ransomware is a financially viable attack. And that's, in many cases, due to the lack of regulation around cryptocurrencies. It allows attackers and individuals operating in other countries to get paid in a way that's very challenging, or even impossible, to trace. So by creating more regulations around cryptocurrencies, we can apply the same anti-theft and anti-money laundering controls that we have internationally and make these types of cyberattacks a lot less financially beneficial.

Nonprofits themselves can also improve resilience by recognizing the importance of cybersecurity to their operational capabilities. Steps such as deploying MFA can significantly reduce the risk of an attack, and security needs to be elevated within the organization to the board level to ensure that appropriate resources are given to this task, and that funding is sourced to achieve these goals.

Do you have a call to action or recommendation you’d like to share with the global development community?

The most impactful steps organizations can take is to ensure that sensitive data is protected with MFA, that collaboration and email tools and systems are up-to-date, and that users are applying critical security patches quickly. Once those steps are in place, resources such as the U.S. Cybersecurity & Infrastructure Security Agency’s Cyber Essentials provide a great playbook with advice for nonprofits and small- and medium-sized businesses on further protection against these threats and building a top-down culture of security.