Nonprofit Resources


3 Common Cybersecurity Threats

While cyber breaches can take many different forms, they typically occur when hackers target common technical weaknesses. Here are three of the most prevalent cybersecurity threats all nonprofits face.


You’ve probably heard of phishing, but you may not be aware of all the forms it can take. Phishing emails are fraudulent emails designed to entice the recipient to click on an attachment or link or share sensitive information. This opens the door for cyber criminals to infect your computer systems with malware, steal sensitive data, or trick the recipient into an action such as wiring funds.

We’re all familiar with typo-laden emails that look fake, but many phishing emails look like legitimate communications from believable sources such as banks, credit card companies, package delivery services, or internal parties like your executive director or CFO. If your organization uses filtering to stop phishing emails, be aware that some can slip through even the best systems.

Spear phishing is a form of phishing that targets specific individuals or organizations. These emails look like they are from an individual or business you know and often use social engineering to target recipients with personal details gleaned online, such as through social media sites.

Phishing has led to high-profile breaches at Target and Home Depot, but churches, higher education institutions, and nonprofits of all sizes have been victims, too.

Knowing how a phishing attack works will help you understand and recognize the threat. In addition, phishing tests and ongoing employee training are effective tools for reducing your organization’s risk.


Vulnerabilities are holes in software code that hackers can use to gain access to a system. These holes can exist in all software, including operating systems and applications such as Java and Adobe Flash.

Vulnerabilities are closed by applying updates and patches. The massive Wannacry ransomware attack, for example, was completely preventable. It spread because users had failed to install a patch that had been available for a couple months.

Consistently patching and updating all systems will help prevent vulnerabilities. Vulnerability scans of your internal network and external Internet-facing systems should be performed regularly — ideally on at least a quarterly basis — to identify any existing vulnerabilities.

A staggering number of vulnerabilities are discovered every day. These are known as zero-day vulnerabilities because an update or patch isn’t available at the time of discovery. That’s why it’s important to create and implement a plan for zero-day vulnerabilities.


The term “malware” stands for “malicious software.” It installs without a user’s knowledge — typically when a user visits an infected website or clicks on a link or attachment in a phishing email. The software can lay dormant on a system for a long time before the hacker uses it to exploit a vulnerability or system weakness.

Malware includes viruses, spyware, worms, and ransomware. And it’s available for purchase online — which means that anyone can become a cyber criminal.

All systems are at risk for a malware attack, including your organization’s servers, laptops, desktops, networking equipment, networked printers, mobile devices, and Internet-connected “smart devices” such as thermostats and alarms. It’s critical to have a full inventory of all such systems within your organization, so that you can implement and maintain the appropriate controls to protect each one.

We can help you assess and reduce your organization’s risk from these common cybersecurity threats as well as other issues. Visit or contact us at [email protected] to learn more.


Leave a Comment