Cybersecurity Risk Management for Nonprofits | Aprio Insights

ARTICLE | February 03, 2026

Authored by Aprio

Summary: Cybercriminals are targeting nonprofits more often, putting sensitive data, financial resources, and even their core missions at risk. Some recent high-profile breaches have exposed millions of records and caused serious losses for organizations. Why are nonprofits commonly seen as “mission-rich but cyber-poor”? What can you do to better protect your organization?

Nonprofit organizations (NPOs) are essential to society, supporting communities, advancing causes, and providing critical services. Unfortunately, NPOs are increasingly targeted for cybercrime. Many cybercriminals often view nonprofits as “mission-rich but cyber-poor,” since they hold valuable data and access to substantial funds, but often lack the resources necessary to protect themselves from even the most common and basic hacking methods.

Protecting your nonprofit’s mission and stakeholders is essential. In this article, we explain why hackers target nonprofits, provide real-world breach examples and lessons learned, outline standard attack techniques, and offer a practical, risk-based approach to cybersecurity.

Why are Nonprofits Targeted?

Three factors underly almost most hacks against NPOs:

1. The Potential for Enrichment

In the case of NPOs, this relates primarily to data that can be sold and/or extorted. Personally Identifiable Information of donors, electronic Protected Health Information of patients, and access credentials for NPO employees can all be readily sold on the black market. Many NPOs, especially those with time sensitive and critical missions such as healthcare, are common targets for ransomware. Another reason that NPOs are appealing to hackers is that many have access to funds that can be compromised by way of social engineering or account takeover where they gain access to users’ credentials and transfer the funds themselves.

• A minor but important exception as to hacker motivation pertains to NPOs that have missions that draw the attention of hacktivists intent on disrupting the NPO, for example by defacement of websites, or impairment of operations by way of DDOS or system compromise.

2. The Level of Effort to Conduct the Hack

A common perception is that the NP sector generally does not have security safeguards adequate to protect their sensitive data, funds, and critical systems. Even if you assume for the moment, that this is not true, we know that the growth of the cybercrime ecosystem continues to make hacking easier and more accessible. Here are two examples of the commoditization of hacking toolsets and know-how:

• Ransomware-as-a-Service is prominent dimension of the cybercrime ecosystem in which ransomware developers create malware and support infrastructure, then lease it to affiliates who carry out the attacks. RaaS has fundamentally reshaped the cybercrime economy, lowering technical barriers and enabling both sophisticated and low-skill attackers to launch large-scale extortion operations.
• Initial Access Brokers (IABs) purchase stolen access credentials from hackers for resell to other hackers that will use these to execute hacks. IABs often have sophisticated eCommerce applications where their customers can select stolen credentials that are categorized amongst functionality (privileged, VPN, Firewalls, etc.), industry type, organization size, etc. Because of how successful the IAB market is, use of stolen credentials has recently surpassed malware-based ransomware as the most common breach tactic across all sectors.

3. The Risk to Hackers of Being Caught and Brought to Justice

While some hackers are identified and prosecuted, this is very rare because cybercriminals usually operate outside of legal jurisdiction and other challenges related to attribution and prosecution. NPOs should assume there is virtually nothing deterring the hacking community from targeting their organization.

How Frequently are Nonprofits Targeted and What are Recent Examples?

Most breaches of NPOs (and the business sector at large) are not publicly disclosed. We do know the overall average for U.S. businesses is approximately 10% for publicly disclosed hacks, and we know that most hacks are not reported. Based on very meaningful anecdotal feedback from cross-section of NPOs, we are confident that at least 20-30% have experienced some form of breach in the recent 2-3 years.

The following examples of disclosed breaches to U.S. based NPOs just since 2024 illustrates the scope and nature of breaches:

• Ascension, a major nonprofit health system, suffered a ransomware attack triggered by a phishing email. The breach disrupted hospital operations, delayed patient care, and forced temporary emergency service diversions.
• Extern, a charity focused on social justice, was hit by a ransomware attack in 2024 that exposed staff bank account details.
• Catholic Charities of Southern Nevada reported a data breach in 2024 that may have exposed the names, Social Security numbers, and health information of more than 73,000 clients and employees.
• Easter Seals Central Illinois lost medical and personal records for almost 15,000 people after the Rhysida gang attacked and demanded a $1.35 million
• Mystic Valley Elder Services in Massachusetts reported a data breach in late 2024 where hackers stole files containing names, birthdates, Social Security numbers, financial details, and medical information for about 87,000 people.
• Equinox Inc., a mental health nonprofit in New York, was hit by a LockBit ransomware attack in late 2024 that led to the theft of 49 GB of data and affected over 21,000 clients and staff.
• In July 2024, OneBlood, a blood bank in Florida, was attacked by Hackers took donors’ names and Social Security numbers, which forced the organization to switch to manual blood collection and caused blood shortages.
• The Pennsylvania State Education Association said that a cyberattack in July 2024 exposed sensitive information belonging to more than 517,000 members.
• In October 2024, a hacktivist group attacked the Internet Archive, leaking usernames, emails, and hashed passwords of 31 million users.
• In May 2025, the Salvation Army experienced a breach when Chaos ransomware actors stole names, Social Security numbers, and driver’s license numbers, affecting thousands of staff and volunteers.
• In July 2025, the First Baptist Church of Hammond, Indiana, was targeted in an attack that compromised the personal data of about 5,200 people and led to a ransom demand.

What Lessons Can Be Learned From Recent Breaches?

Like in other industries, there are two primary and interrelated hacking methods deployed against NPOs:

• Social engineering often takes the form of Phishing where attackers trick users into clicking malicious links, entering credentials, or downloading malware.
• Business Email Compromise (BEC) is when attackers compromise or spoof corporate email accounts to request fraudulent wire transfers or sensitive information. BEC is the most damaging financial form of social engineering.
• Smishing (SMS text message phishing) and Vishing (voice phishing via phone calls), while not nearly as common as Phishing and BEC are growing rapidly.
• Ransomware is when attackers deploy malware that encrypts files or systems, and then demand payment, (usually crypto) to obtain a key to unlock the files / systems. Sometimes ransomware involves exfiltration where hackers threaten to leak data to increase pressure for ransomware payment (i.e., double-extortion.) Ransomware is often enabled by stolen access credentials or phishing where users click on malicious links.

In 2026, AI will supercharge the social engineering threat, by dramatically increasing the believability and volume of attacks.

What is the Cyber Security Outlook for the NP Sector?

We know that for all sectors, including NP, the sophistication and volume of breaches are increasing. Here are two primary reasons why:

• Increasing commercialization and maturation of the cybercrime ecosystem (e.g., IABs and RaaS outlined above).
• AI is already being used to increase the realism of deepfakes that trick users to surrender their credentials, transfer data hackers, and in some cases, transfer funds. Even leading financial institutions that know they are targets for this type of hack have been victims. With increasing availability and sophistication of these tools, we know they will soon be commonly weaponized against every sector, including NP.

What Steps Should NPOs Take to Protect Their Mission?

There is no one-size-fits-all approach for NPOs. There are, however, four fundamentals that can be applied to right-size NPOs’ cybersecurity programs.

1. Establish Security Governance with Defined Risk Management Objectives

Although it is commonly overlooked and misunderstood, governance is the foundation to an effective cyber risk management program. In turn, the foundation of governance is the NPO’s risk management objectives. Too many organizations don’t establish meaningful risk management objectives until after they have been breached. Understanding this psychological hurdle, our recommendation is for NPO leaders to not just follow recommendations from this article but to also speak with a cross-section of other business and NPO leaders to understand their perspectives.

We think there is a good chance you will find one or more that will share their post-breach lessons learned, and if so, that will help bridge the gap between risk management being theoretical to practical and critical to protect the mission. Your cyber insurance broker may also be able to share recent and anonymized examples.

Gaining clarity of your cyber risk management objectives provides direction you need to round out your governance approach. Other governance topics include:

• Risk acceptance criteria and processes,
• Roles and responsibilities for understanding and managing cyber risk, policies and standards, and
• How leadership will monitor the cyber program and drive corrective actions to address any gaps.

2. Deploy Cybersecurity Hygiene

Irrespective of your NPO’s mission, data, and services, there are fundamental cybersecurity measures (aka, cyber hygiene) that every NPO should deploy. These include:

• Personnel and organizational controls, including maintained and acknowledged policies to set expectations for all staff and volunteers, and training in acceptable use and social engineering.
• Strong access controls, including network segmentation, least-privilege access controls, multi-factor authentication, hardening of remote access, and privileged access controls for sensitive functions and devices.
• Endpoint and server protection, including anti-virus, anti-malware, and secure mobile app management, email security to filter phishing and malicious messages, and patching and vulnerability management.
• Detection and response controls, including monitoring and threat detection, maintaining a plan for rapid incident detection and response, and backup and recovery plans that include offline, immutable backups.
• Third-party controls, including clarity of roles and responsibilities and regular monitoring of third-party controls, especially Managed Service Providers (MSPs).

Many NPOs rely on MSPs to provide their IT environment and much or all their security. Unfortunately, many do not understand whether the MSP is (a) effectively secured so their systems can’t be compromised to provide a vector to the NPO’s environment, and (b) providing effective security for the NPO. This is a subject beyond scope of this document but involves gaining clarity for these topics before engaging an MSP and then having visibility on an ongoing basis after the MSP is engaged.

There are several security standards and frameworks that can serve as resource in building out your cyber security fundamentals. These include CIS 18, ISO 27001, NIST 800-171, NIST CSF, and AICPA SOC for CyberSecurity and/or SOC 2).

3. Supplement With a Risk-Based Approach

The hygiene type controls outlined earlier are minimum controls every NPO should have. They are not necessarily what’s needed to effectively secure the NPO. This step would identify what controls, if any, are necessary to extend beyond the cyber hygiene fundamentals.

Earlier in this document, we outlined reasons why NPOs are targets and methods used by hackers. Every NPO should try to imagine their org from the perspective of a hacker. This means, knowing what about the NPO represents motivation, and what methods might be used. Answering these questions provides a risk-based roadmap as to what controls would be needed to prevent, detect, and respond to those threats.

A more nuanced approach to understanding risk is to quantify in financial terms the risks represented to the organization (i.e., cyber risk quantification or CRQ). CRQ provides the defensible rationale needed for purposes related to prioritization, investment decisions and rationalizing cyber insurance coverage.

4. Monitor and Continuously Improve

Monitoring is a key dimension of security governance discussed above. Monitoring is critical to offset drift and atrophy, and it reminds your employees and stakeholders that the controls they are responsible for really matter.

Monitoring can take the form of self-assessment or independent reviews by third-parties. Depth can vary to include just inquiry or inspection of evidence such as system settings and control procedures.

Final Thoughts: Why Cybersecurity is Imperative for Nonprofits

The scale and continued expansion of the cybercrime ecosystem and its commoditization means that virtually no NPO is too small to be a target (just like we know all our households are targets).

As described in this article, real cybersecurity risk management extends beyond compliance and includes a governance dimension to help assure your organization cost-effectively adapts amid evolving threats. Understanding your risks, recognizing how attacks occur, and implementing practical safeguards will strengthen your organization and protect your mission.

You don’t need to face this constant pressure alone. Working with advisors who understand nonprofit challenges helps you navigate this complex environment with confidence.

Please connect with your advisor if you have any questions about this article.

---

This article was written by Aprio and originally appeared on 2026-02-03. Reprinted with permission from Aprio LLP.
© 2026 Aprio LLP. All rights reserved. https://www.aprio.com/insights-events/how-can-nonprofits-manage-cybersecurity-risk-ins-article-np/

“Aprio” is the brand name under which Aprio, LLP, and Aprio Advisory Group, LLC (and its subsidiaries), provide professional services. LLP and Advisory (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. LLP is a licensed independent CPA firm that provides attest services, and Advisory and its subsidiaries provide tax and business consulting services. Advisory and its subsidiaries are not licensed CPA firms.

This publication does not, and is not intended to, provide audit, tax, accounting, financial, investment, or legal advice. Readers should consult a qualified professional advisor before taking any action based on the information herein.