Data Breaches and Nonprofits: Surprising Vulnerabilities

Evan: Welcome to “Trust and Safety in Numbers,” presented by Sift Science. I’m your host, Evan Ramzipoor. When you think of data breaches, what comes to mind? It’s probably large e-commerce sites, companies like Equifax. Maybe even the U.S. government. Nonprofits probably aren’t at the top of the list, but they’re uniquely vulnerable to attack. For one, nonprofit organizations are minimally resourced and staffed. Budget is more likely to be allocated to personnel and communications than to cybersecurity and fraud prevention.

A survey conducted back in 2016 revealed that 57% of nonprofit executives consider cybersecurity one of their top 10 concerns. But only 29% said their organizations are planning on increasing spending on cybersecurity and fraud. And a paltry 11% said their organization had a team specifically dedicated to risk or even IT. The stakes are high too. Fraudsters who target nonprofits, hacking into their systems and holding their data ransom, they know that nonprofits are more likely to pay up than other entities. After all, democracy building organizations and aid and relief organizations and other NGOs often store data that’s used to save lives. And in the wrong hands, it could be used to take lives instead.

That’s where Nomi Conway comes in. Nomi is a second-year law student at UC Berkeley. There she’s involved in a project that’s designed to address these high stakes risks to nonprofits. Before that, she worked in risk and compliance at Square, where she primarily handled account takeover. I’m sitting down with Nomi to learn about what she’s working on. But first, let’s warm up with a quick fraud fact.

Did you know that last year 107 million people travel between Thanksgiving and New Year? To learn how fraudsters are capitalizing on the holiday travel rush, check out, “It’s the Fraudiest Time of Year for Travelers,” on the Sift Science blog. Now, on to the interview. A lot of the work that you do is aimed at overturning a common assumption basically a misperception of what cybersecurity and online fraud look like. What can you tell us about that misperception?

Nomi: So, I think a really important emerging field within cybersecurity is this idea of cybersecurity in the public interest. I think people still have this conception of cybersecurity as a highly technical field, which it certainly is in most ways. But it’s also something that is becoming inextricably tied with the public interest and the public good. And when our critical infrastructure and our refrigerators and our microwaves are now connected to the internet, it’s not just affecting a country as a whole, it’s not just affecting corporations, it’s really affecting the everyday person. And so, I’m really excited to be a part of the Center for long-term cybersecurity at here at Berkeley. And I think that they are one example of an organization that’s really diving into this area of public interest cybersecurity.

Evan: What does the threat landscape look like for nonprofits?

Nomi: So, that’s a difficult question to give a blanket answer to. I would say, it’s really hard to generalize for nonprofits, just as it’s hard to generalize for a private corporation. And I think as any good security professional would do, it’s really important to threat model the individual nonprofit. That being said, I think there’s one thing that these organizations do have in common, and that’s that they don’t have as many resources as they should to focus on security. And they’re also much less likely to have a dedicated security person within the organization. And so, that makes their whole threat model a little bit more complicated and perhaps higher threat in general.

But I would say, so, just like any other organization, it’s important to think about what a particular nonprofit is trying to protect and from whom they’re trying to protect it. And so, that will hinge upon the mission of the organization, the source of funding for the organization, the types of entities that they support. So, whether you’re trying to support journalists, activists, other groups with potentially controversial missions, I think it’s also important to think about where the organization is located. And geography is really important to understand the local or national political landscape.

So, I think nonprofits are vulnerable to all the types of attacks that any organization might also be vulnerable to. Anyone who is compiling data that could potentially have financial or other value, I think, become targets of this attack. And it’s interesting to see how different entities, you know, the target population has really grown for these hackers. And whether they’re simply financially motivated or potentially motivated because they’re a nation-state actor, so long as the data is there and there’s potential financial gain or reputational damage to be done, I think there’s incentive for these attackers to go after anyone who has what they’re looking for.

Evan: Many human rights organizations compile sensitive data. Just to give an example, there are human rights organizations aimed at alleviating suffering of AIDS patients in countries that stigmatize the disease. And if that data gets out, it could be very problematic, to say the least for the patients. How do nonprofits keep their data private, especially when it’s so sensitive?

Nomi: So, I guess the best answer would be that they should be minimizing the amount of data that they’re collecting to begin with, and implementing strong encryption. Unfortunately, I don’t think that that’s necessarily the norm for these types of organizations. And again, part of that goes back to the fact that they’re just really strapped for resources in this space and potentially don’t have someone helping them think through why collecting certain data could be problematic when they’re so mission-driven and focused on the cause that they’re supporting. And that may not always be the first or even second thing that they’re thinking about.

Evan: So what are you doing to help alleviate the risks that nonprofit organizations face in their day to day operations?

Nomi: Specifically, I’m working on a project to test a clinical model to offer cybersecurity services pro-bono to nonprofit organizations like the ones that we’ve discussed. And I think it’s really representative of this larger shift towards thinking about cybersecurity in the public interest. And I think it’s also really important to note that while it’s crucial to have people with technical backgrounds on these types of projects, it’s also an area where people with backgrounds in law and policy and general community organizing or even project management can really have an impact in. And I as well as the center for long-term cybersecurity are really committed to expanding the cybersecurity workforce

Evan: What other businesses and entities are out there trying to help nonprofits stave off cyber-attacks and fraud?

Nomi: So, I think it’s really exciting that there are a growing number of organizations out there to assist organizations who need help in the realm of cybersecurity and privacy. A couple of places that immediately come to mind, especially local to the Bay Area are the ACLU and the Electronic Frontier Foundation and, but there are also a lot of other resources out there. Companies like Google offer project sealed, [SP] which is pre-cybersecurity services to smaller under-resourced organizations. And, you know, people are starting to offer free services for smaller groups that might need it. And I think that’s a really exciting development.

Evan: Thanks for joining me on “Trust and Safety in Numbers.” Until next time, stay vigilant, fraud fighters.