A new CLTC report provides guidance to help government leaders in San Francisco and other cities more effectively support the digital security of local nonprofits. The report, “CyberCAN: Cybersecurity for Cities and Nonprofits,” was produced as part of Cybersecurity for Cities and Nonprofits (CyberCAN), an innovative research partnership between CLTC and the City and County of San Francisco.
Nonprofits like food banks, homelessness services, and community development organizations provide critical and time-sensitive services to local residents and are fixtures of community support for people of all ages. But nonprofits are also the second-most-targeted sector for cyber attacks — and are among the least prepared to defend themselves.
“The goal of CyberCAN is to help cities like San Francisco better understand the digital security challenges of local nonprofits, and the findings are relevant to governments in all major cities,” explains Sarah Powazek, Program Director for CLTC’s Public Interest Cybersecurity program, who co-authored the report with Shannon Pierson, Public Interest Cybersecurity Senior Fellow. “City governments have a vested interest in helping nonprofits with cybersecurity, and are uniquely positioned to provide a platform of support.”
Cyber attacks on nonprofits cause immediate and serious damage. In 2020, a hunger relief organization in Philadelphia lost nearly $1 million due to a cyber attack, and in 2022, cyber criminals stole the personal data of more than 500,000 people from the International Committee of the Red Cross. This data included highly sensitive information about refugees, people separated from their families, and missing persons, highlighting the severe risks faced by nonprofits when targeted by cyber threats.
While nonprofit cybersecurity is a critical issue and a frequent topic of conversation in cybersecurity circles, most solutions place the burden upon nonprofits themselves. The CyberCAN initiative was launched to help improve municipal governments’ understanding of nonprofits’ cybersecurity challenges — and identify opportunities to improve the cyber resilience of organizations operating in their local communities.
“Ensuring digital equity means more than access to technology—it involves empowering all organizations, including our nonprofits, with the tools they need to operate safely in the digital world,” said Reymon LaChaux, Digital Equity Manager at the San Francisco Mayor’s Office of Housing & Community Development. “This report highlights a gap in cybersecurity resources that leaves many nonprofits vulnerable to cyber threats. By addressing these disparities, we can create a more resilient nonprofit sector and reinforce San Francisco’s commitment to digital inclusion and equity for all.”
CyberCAN: Cybersecurity for Cities and Nonprofits
Key Findings
For the report, CLTC surveyed 68 San Francisco-based nonprofits to understand their cybersecurity challenges, preferences for support, available resources, and baseline cyber hygiene practices. Following are select key findings from the research:
- Nonprofits are frequent targets of cybercrime, with 85% of organizations surveyed reporting that they have experienced at least one cyber attack.
- Nonprofits remain attractive targets for cyber criminals because they collect and store sensitive information: 75% of surveyed nonprofits reported that they collect social security numbers.
- Nonprofits lack the staffing resources they need to protect themselves against cyber attacks: 53% of surveyed nonprofits have no full-time IT staff, and those that do have an average of just one full-time IT staff member for every 96 employees.
- Nonprofits have moderate adoption rates of basic cybersecurity controls. While 61% of surveyed nonprofits employ multi-factor authentication (MFA) for email and collaboration tools, 16% do not use MFA at all, and 53% do not offer any type of cybersecurity awareness training for employees.
- Nonprofits struggle most with funding and prioritizing cybersecurity: 46% of surveyed nonprofits ranked funding as the greatest obstacle to improving their organization’s cybersecurity, followed closely by a lack of knowledge on what to improve and difficulty prioritizing cybersecurity over competing objectives.
The findings suggest a variety of solutions that municipal governments can put in place to better support local nonprofits. For example, the nonprofits surveyed indicated that they want hands-on, human assistance, rather than online resources. They ranked a city helpline and proactive cybersecurity consulting as the highest-priority needs for improving their cybersecurity — above other cybersecurity resources, such as tools and software, educational websites, and awareness training.
The report’s findings suggest several practical solutions that governments can offer:
- Hire a virtual Chief Information Security Officer (CISO) on a part-time or temporary basis to assist local nonprofits and small businesses.
- Host a biannual cybersecurity workshop for nonprofits and small businesses in the local community.
- Create a nonprofit cybersecurity resource webpage on the city government website.
- Offer specialized cybersecurity grants to help nonprofits hire cybersecurity talent and/or acquire software and tools.
- Adjust the overhead constraints for grants available to nonprofits to allow for the allocation of funds to address cybersecurity needs.
- Host student summer interns to work with nonprofits on cybersecurity issues.
- Provide local nonprofits with low-cost access to critical cybersecurity tools and software.
“We look forward to continuing to work with the city of San Francisco and other cities to serve the cybersecurity needs of their local nonprofits,” Powazek said. “By providing assistance to nonprofits, cities can help protect residents’ critical services and sensitive health and financial information from the constant threat of digital harm.”
Craig Newmark Philanthropies and Okta For Good provide ongoing support for innovative public interest cybersecurity research at UC Berkeley. This research focuses on defending low-resource public interest organizations, such as nonprofits, municipalities, and schools, from cyberattacks, including the CyberCAN report. The next phase of this project will examine how to bring these findings to smaller cities and municipalities across the country.
