What Grant Applicants Tell Us About Nonprofit Cyber Security 

Written By Steve Sharer

One of the commitments we make as a Benefit Corporation is to devote at least 5% of our annual working hours to pro bono cyber security services for organizations in need. Through our Cyber Security for Good Grant, we partner with purpose-driven organizations—nonprofits, B Corps, and other mission-focused groups—to help them strengthen their security posture without straining already tight resources.  

In our latest grant cycle, we received a remarkable range of applications from organizations of different sizes, missions, and geographic footprints. We’re excited to share some of the insights gleaned from these applicants, as well as highlight common cyber security challenges affecting the nonprofit sector. Throughout the year, we'll be sharing stories from our work with these grant awardees, taking care to protect their identities and sensitive data. 

A Quick Look at Applicant Demographics 

Size: 

  • The average organization had around 33 staff members. 

  • The largest applicant had 1,600 staff. 

Location: 

  • Most organizations were based in the United States. 

  • We also saw applications from Brazil, Canada, Colombia, and Côte d'Ivoire. 

Mission Focuses: 

  • Immigrant & refugee rights 

  • LGBTQ+ advocacy 

  • Public health 

  • Environmental sustainability & conservation 

  • Education 

  • Culture & art 

These figures underscore that the need for cyber security in the nonprofit sector transcends organizational size, regional boundaries, and mission areas. 

Recent Cyber Security Initiatives 

When asked about recent cyber security initiatives that organizations had undertaken, applicants highlighted a few common strategies: 

  • Staff Training: The most frequently cited initiative. Organizations are actively educating teams on best practices and general cyber security awareness. 

  • Email Security: Phishing prevention tactics, along with DMARC, DKIM, and SPF implementations, came up often. 

  • Third-Party Security Assessments: Several groups have conducted or are planning formal evaluations to identify system vulnerabilities. 

  • Security Policies: Many applicants are crafting or updating policies to strengthen internal protocols. 

  • Multi-Factor Authentication (MFA): Encouragingly, MFA is widely adopted or being actively rolled out to bolster account security. 

Common Cyber Security Incidents 

Despite these efforts, many applicants have still faced cyber security incidents recently. The most commonly reported attack types included: 

  • Account Compromise: Often traced back to weak credentials or lack of MFA, leading to unauthorized access. 

  • Phishing: Targeted emails resulting in credential theft or other fraudulent activity. 

  • Malware: Infections that disrupted operations or required significant remediation efforts. 

  • Denial of Service: Attacks that disrupted online services, impacting donors and service recipients. 

  • Data Breach: At least one organization reported an incident where sensitive data was accessed without authorization. 

Top Concerns Keeping Leaders Up at Night 

We also asked applicants about their biggest cyber security worries. Their responses fell into several recurring themes: 

  • Data Breaches: The fear of exposing sensitive information—and the reputational and operational fallout that could follow—remains paramount. 

  • Phishing & Social Engineering: Many see phishing as a constant threat, with staff potentially targeted by increasingly sophisticated scams. 

  • Ransomware: Ongoing headlines about ransomware continue to fuel concerns about operational shutdowns and financial losses. 

  • Lack of Resources: Staffing and budget limitations often mean security measures are scaled back or postponed. 

  • Identity & Access Management: Weak credentials and insufficient access controls can open the door to major security incidents. 

  • Cloud Security: As more services move to the cloud, organizations feel the pressure to secure these newer environments effectively. 

  • Third-Party Risks: Applicants recognize that even with strong in-house controls, vulnerabilities can also stem from vendor or partner networks. 

Looking Ahead 

The challenges outlined by our grant applicants reinforce how critical cyber security is across every facet of the nonprofit sector. These organizations work tirelessly to fulfill their missions, often under intense resource constraints. By offering pro bono support, we aim to make meaningful strides in closing the cyber security gap for these mission-driven groups. 

In the coming months, we’ll share stories and lessons learned from our work with grant awardees. Our hope is to raise awareness about emerging threats and practical security measures that can empower nonprofits and B Corps alike. We’ll continue to protect the identities and sensitive data of our grantees, while highlighting real-world examples of how proactive cyber security efforts can help organizations remain resilient in a rapidly evolving threat landscape. 

If you represent a nonprofit or a purpose-driven organization, we invite you to learn more about our Cyber Security for Good Grant and consider signing up to be notified when applications reopen here.  

 If you have any questions or stories to share, don’t hesitate to reach out. Together, we can build stronger defenses and ensure that mission-focused organizations stay focused on what they do best: changing the world for the better. 

Steve Sharer
Previous

Nonprofit Data Breaches & Their Impact
Next

Simple Cyber Security Wins for Cyber Security Awareness Month