When a cyber attack hits, the impact on nonprofits can ripple far beyond their walls—jeopardizing vulnerable populations, sensitive data, and critical services. For many city-based nonprofits, the stakes couldn’t be higher, yet cybersecurity resources often remain out of reach. A new report from UC Berkeley’s Center for Long-Term Cybersecurity (CLTC) is shedding light on this urgent issue, offering a roadmap for cities to bolster the cyber resilience of the nonprofits they rely on.
Developed by CLTC’s Public Interest Cybersecurity (PIC) program in collaboration with the City and County of San Francisco, the CyberCAN: Cybersecurity for Cities and Nonprofits report explores the challenges nonprofits face and the opportunities for cities to help them thrive in an increasingly digital world.
Surveying 68 San Francisco-based nonprofits, the report uncovered five key findings about cyber vulnerabilities and opportunities for improved cyber resilience:
- 85% of organizations surveyed reporting that they have experienced at least one cyber attack.
- 75% of surveyed nonprofits reported that they collect social security numbers.
- 53% of surveyed nonprofits have no full-time IT staff, and those that do have an average of just one full-time IT staff member for every 96 employees
- 61% use multi-factor authentication, 16% do not use MFA at all, and 53% do not offer any type of cybersecurity awareness training for employees.
- 46% of surveyed nonprofits ranked funding as the greatest obstacle to improving their organization’s cybersecurity.
Despite these challenges, many nonprofits are eager to improve their defenses. The report highlights solutions like expanding funding, offering cybersecurity training, and fostering citywide collaboration. As Michael Makstman, San Francisco’s Chief Information Officer, put it, “Together with this roadmap and report, we can support the SF nonprofit community and continue to serve people who need their services most.”
The launch event featured a presentation of key findings from the report’s authors, Sarah Powazek, Director of the PIC initiative, and Shannon Pierson, a PIC senior fellow in the PIC initiative. The presentation was followed by a panel with Nathan Sinclair, Interim City Chief Information Security Officer in the City and County of San Francisco’s Office of Cybersecurity, and Rey LaChaux, Digital Equity Manager in the San Francisco Mayor’s Office of Housing and Community Development, to discuss solutions and ongoing efforts to support nonprofit cybersecurity. They highlighted the interdependence between the city and its nonprofits and stressed the importance of building better cybersecurity habits among people.
The CyberCAN project is supported by Craig Newmark Philanthropies and Okta For Good, who provide ongoing support for innovative public interest cybersecurity research at UC Berkeley. Looking ahead, the CyberCAN team intends to expand the study to include other U.S. cities in order to understand the regional differences and relationships between municipalities and nonprofits in those communities. “The recommendations will change,” said Powazek, “but we’re looking forward to getting a country-wide view of the cybersecurity of nonprofits and the relationship to their cities.”
