In Focus Resource Center > Insights

Cybercriminals are Profiting From the Not-for-Profits

With budgets stretched to the breaking point as the pandemic wreaks havoc on operations, the last thing a not-for-profit organization needs is a ransomware attack. One recent example involved a South Carolina NFP that was hit with a ransomware attack, leaving the Executive Director pleading, “Why in the world would someone want to do this to us?” That is the harrowing question posed by countless NFP organizations across the country that are joining the growing ranks of cyberattack victims. The answer is simple: profit. Ransomware is a lucrative endeavor and cybercriminals are unsympathetic to the important services provided by their victims, regardless of how altruistic it may be.

With one errant click or keystroke, an email attachment from a cybercriminal can unleash a payload that can quickly spread throughout an organization, rendering computers and servers useless in a matter of minutes. From there, the options are very limited: the NFP can pay the attacker in the hope that they are provided with the key to removing the ransomware or go through the arduous process of wiping and restoring systems so that they are once again functional. However, there is a third option that would greatly reduce the chance of an attack ever occurring: prevention. The following efforts are examples of what an NFP can do to proactively fortify their cyber defenses and exponentially increase their chances of remaining safe and secure.

  • Cybersecurity Risk Assessments
    • If you don’t know what data and assets you have or how well they are being defended, it is virtually impossible to protect your business from cyberattacks. Completing a cybersecurity risk assessment will help you identify your most critical systems and data, recognize and prioritize gaps, and build a roadmap to a safer and more secure environment.
  • Security Awareness Training
    • Since the genesis of over 91% of data breaches is a spear phishing attack, it is imperative to train employees to identify and avoid this threat. Every employee, including those being newly onboarded, should be provided with the training needed to recognize and avoid these attacks.
  • Spear Phishing Simulations
    • Once you have established a cybersecurity awareness training program, it’s critically important to then incorporate a trust-but-verify approach. The best verification method to ensure all employees can identify spear phishing emails is to simulate these types of attacks. These simulations will reinforce the training concepts and identify those employees that need additional guidance.
  • Penetration Testing and Vulnerability Assessments
    • A misconfigured network device or missing security patch can open the door for cybercriminals to enter your business. Conduct penetration testing and vulnerability assessments on a regular basis to simulate what a hacker can exploit in order to identify and address any vulnerabilities before an actual attacker can leverage them.
  • Threat Hunting
    • Threat hunting involves searching for hidden or undetected cybersecurity threats within a network that have circumvented endpoint security protections. Using various methods, threat hunters scrutinize a company’s technical assets for anomalous behavior that may be indicative of malicious activity.

For more information on securing your NFP organization, contact Kevin Ricci at or your Citrin Cooperman Not-For-Profit Practice advisor.

Our specialists are here to help.

Get in touch with a specialist in your industry today.

* Required

* I understand and agree to Citrin Cooperman’s Privacy Notice, which governs how Citrin Cooperman collects, uses, and shares my personal information. This includes my right to unsubscribe from marketing emails and further manage my Privacy Choices at any time. If you are a California Resident, please refer to our California Notice at Collection. If you have questions regarding our use of your personal data/information, please send an e-mail to