Join our Nonprofit Good News-Letter

Cyberthreats – A Growing Threat to Nonprofit Resilience

Cyberthreats just keep getting worse.

ChatGPT Image Nov 25, 2025, 02_20_26 PM

When I identified Cyberthreats as Challenge 13 in Managing Your Nonprofit for Resilience, the warning signs were clear. Today, the risks are even greater. Small and mid-sized nonprofits remain especially vulnerable: limited IT staff, outdated systems, tight budgets, and low awareness create a perfect storm. Cybersecurity is no longer an IT chore, it’s a core resilience issue and a direct mission-protection priority. My goal in this post and two others we will publish this week is to be candid about the risks while offering supportive, realistic guidance and helping you see that cybersecurity is mission security, and you can manage it proactively. Here is a brief overview of the current threat landscape, highlighting changes since 2022.

Nonprofits Are Targets

Nonprofits handle sensitive information (donor data, client records, payment details) and provide critical services, yet many assume they’re “too small” to attract hackers. In reality, attackers view them as high-value, low-defense opportunities.

Many Nonprofits Have Valuable Data With Insufficient Protections

Many nonprofits collect personal and financial data (donor names, emails, credit card numbers, even health or client information) that can be sold or used for fraud. Yet 70% of nonprofits lack a formal cybersecurity policy, and many don’t invest in strong defenses. Hackers know this and view nonprofits as “low-hanging fruit” that often can’t fight back. In short, high-value data + weak security = attractive target.

Many Lack Support

Smaller nonprofits often lack dedicated IT or cybersecurity personnel. Staff and volunteers wear many hats and may not have specialized training to recognize cyber threats. Without dedicated technical support, missteps are easier and attacks are harder to spot.

Hackers Know the Importance of Nonprofit Missions

Cybercriminals know nonprofits feel urgency to keep services running, making them more likely to pay ransoms or rush decisions.

Hackers Are Often Vigilantes

Hackers often perceive themselves as issues advocates, as well as money-making ventures. With political tensions at fever pitch these days, if your mission doesn’t fit with the Trump Administration’s priorities, you are also a target.

Recognizing this risk is the first step to managing it. My goal isn’t to alarm you; it’s to underscore that awareness is the foundation of protection.

It's Getting Worse

So, has the cyberthreat landscape for nonprofits improved or worsened since late 2022? Unfortunately, in many ways, it’s gotten worse. Cyberattacks are growing in frequency and sophistication, though awareness is slowly rising in response. Let’s break down the current landscape:

Rising Volume of Attacks

Cyber incidents targeting nonprofits have continued to surge. Industry research shows that nonprofits experienced substantially more cyber incidents over the past two years, mirroring global trends. Ransomware attacks on nonprofits have doubled recently. Ransomware and phishing campaigns have scaled dramatically due to automation and AI. The spike in attacks means the odds of your organization encountering an incident are growing each year. Examples abound:

  • In May 2024, Ascension Health, one of the largest nonprofit health systems in the U.S., suffered a ransomware attack that disrupted hospital operations and forced some emergency rooms to divert patients elsewhere. The breach started when an employee inadvertently downloaded malware, showing how one mistake can snowball into an enterprise-wide crisis. Sensitive patient data was stolen, and critical services were delayed. This is a stark reminder that cyber incidents can literally put lives at risk in a nonprofit healthcare context.
  • In July 2024, a cyberattack hit OneBlood, a Florida-based nonprofit that supplies blood to over 350 hospitals. The attack (later confirmed as ransomware) stifled OneBlood’s operations, knocking out its software systems. Staff had to revert to manual processes to label and distribute blood. With distribution at “significantly reduced capacity,” OneBlood urged partner hospitals to enact emergency blood shortage protocols. This incident underscored how a hack can disrupt essential community services.
  • Even the education sector hasn’t been spared. The National Student Clearinghouse, a Virginia-based educational nonprofit, was swept up in a major supply-chain cyberattack in 2023. Hackers exploited a vulnerability in widely used file-transfer software (MOVEit), compromising personal data (including SSNs and academic records) from 890 schools via the Clearinghouse. This type of indirect attack—targeting a software used by many organizations at once—has become more common, meaning nonprofits home that the threat is very real and current. Attacks that lock up databases, steal donor or client information, or simply crash your systems can strike at any time.

More Dangerous Tactics

Cybercriminals have refined their tools since 2022. Ransomware gangs now often engage in double extortion—not only encrypting your files but also stealing data and threatening to leak it if you don’t pay. This puts added pressure on organizations to pay ransoms. The average ransom demanded from organizations jumped significantly, by nearly $1 million more in 2024 compared to 2023.

Additionally, attackers leverage automation and even AI to craft more believable phishing lures and to scan for vulnerabilities. We’re seeing more supply-chain attacks (like the MOVEit example) where hacking one software vendor can compromise hundreds of organizations at once. The use of AI can also enable things like deepfake voicemails or personalized scam emails that are harder to detect. In short, the “bad guys” are upping their game with new tricks.

The Consequences May be Devastating

A cyber incident can have devastating consequences for a nonprofit, undermining its mission and viability. Consider the fallout that many organizations face after an attack:

  • Operational Disruption: Ransomware or system outages can halt mission delivery. Even a short interruption affects clients, partners, and community services.
  • Financial Losses: Costs may include investigation, recovery, legal help, system upgrades, potential credit monitoring, and lost revenue. For organizations with lean margins, even a moderate incident can be destabilizing.
  • Reputation and Trust Damage: Nonprofits depend on trust. A breach can shake donor confidence and raise concerns among beneficiaries and partners—sometimes for years.
  • Regulatory and legal exposure: Most states require breach notification, and nonprofits handling sensitive data may face additional rules (HIPAA, GDPR, PCI DSS). Investigations, lawsuits, and compliance work add time and stress during an already difficult period.

In short, a cyberattack can hit a nonprofit on multiple fronts. It can interrupt your programs, drain money, alienate supporters, and create legal exposure. It’s a nightmare scenario we all hope to avoid.

While It’s Not All Bad News, Comfort Is Illusive

On a more positive note, there has been increased attention from regulators and the government on cybersecurity, which translates to new requirements and resources that nonprofits need to be aware of in 2025. The trend is certainly negative, but regulators are not standing still:

  • Data security rules are tightening. For instance, effective March 2025, New York State updated its data breach law to require that any organization (including nonprofits) notify affected individuals within 30 days of discovering a breach, a far stricter timeline than the old “as soon as possible” standard. New York also expanded the definition of protected “private information” to include categories like medical and health insurance data, meaning a nonprofit handling health-related info now faces additional compliance obligations. Even if your nonprofit isn’t in NY, this trend toward more aggressive breach notification laws is spreading.
  • Industry standards have also evolved. The Payment Card Industry Data Security Standard (PCI DSS 4.0) took full effect at the end of March 2025, and nonprofits that process credit card donations must comply with its updated security controls. PCI 4.0 imposes tougher requirements. For example, if you use embedded donation forms on your website, you are now responsible for ensuring those pages meet security standards. This change responds to the rise in attacks stealing donors’ credit card data.
  • At the federal level, cybersecurity has been a priority, although the issue has been muddled with the advent of the second Trump Administraion. While there hasn’t been a sweeping new federal law just for nonprofits, the government is pushing for greater accountability across the board. In 2023, the SEC adopted rules forcing publicly traded companies to disclose cyberattacks within four business days. This is a sign of higher expectations around transparency, and a practice that nonprofits would be wise to emulate for their stakeholders. Nearly every state (47 at last count) has laws requiring nonprofits to notify individuals if certain personal data is breached. The bottom line is that regulators, donors, and the public are raising the bar and expecting nonprofits to protect data and respond swiftly if an incident occurs.

Has anything improved? Awareness has improved, and more nonprofit-specific resources exist, but the overall risk environment continues to intensify. Some grantmakers now ask about an organization’s cybersecurity posture as part of due diligence, which can motivate nonprofits to put basic protections in place. But overall, the threat environment has intensified. The gap between nonprofit defenses and criminal tactics is still wide in many cases, meaning the risk of a serious incident is higher than ever.

However, there is hope. Even incremental improvements can significantly reduce your risk. I’ll discuss in my next blog: stay tuned.