The study comes out of a research partnership between the city and county of San Francisco and UC Berkeley Center for Long-Term Cybersecurity (CLTC), a cyber clinic that provides cybersecurity support to local nonprofits. CLTC recently studied 68 local nonprofits’ cyber maturity and needs.
It may seem unusual to ask a city to help provide cyber support, given that local governments are often seen as struggling to keep themselves safe, said Sarah Powazek, program director of Public Interest Cybersecurity at CLTC.
“One of the big things about this study in particular is it represents a big narrative shift in the role cities play in cybersecurity,” Powazek said. “Cities are often thought of as ransomware victims. We're really trying to push for the idea that large cities, that capable cities, can play this role as a local hub of cyber defense.”
San Francisco is one such city and has been eager to help: it asked the center to advise it on what support to offer. Powazek hopes the city’s incoming mayoral administration will maintain that interest.
Nonprofits are threatened by both wide-sweeping indiscriminate cyber attacks as well as attacks specifically targeting them. Cyber criminals generally seek donors’ financial information along with details about the people nonprofits serve. Powazek and the report’s co-author, CLCTC Public Interest Cybersecurity Fellow Shannon Pierson, said they were surprised to discover that a full 75 percent of surveyed nonprofits collect Social Security numbers. Meanwhile, politically motivated hackers target nonprofits that support groups like refugees and LGBTQ+ people. Nation-states in turn try to spy on nonprofits involved in sensitive political work.
In the San Francisco survey, respondents most often reported being hit with phishing attacks, followed by business email compromise and credit card or bank account fraud.
Unlike other small organizations, nonprofits have limited legal ability to dedicate money to cyber defense. Grants often require that at least 90 percent of funding go to nonprofits’ missions, leaving just 10 percent for “overhead,” a category that includes human resources, employee salaries, IT and more. Cybersecurity competes against other priorities for funds.
More than half of nonprofits said they lack full-time IT staff. They are also less likely to have third-party support, like managed service providers, compared to peers with IT staff. The sector’s frequent employee turnover also meant that even nonprofits with an IT employee faced the prospect that person might leave after a year or two, taking cybersecurity knowledge with them.
Surveyed nonprofits varied in whether they had adopted core cyber practices. More than half didn’t offer employees any cybersecurity training, and half failed to update their software frequently enough. Sixteen percent did not use multifactor authentication.
Surveyed nonprofits expressed that they understood the importance of cybersecurity, but many said funding for it was their top challenge. Nonprofits also commonly said it was hard to prioritize cyber, and they often didn’t know next steps to take to improve.
Courtesy of CyberCAN
Surveyed nonprofits most of all said they’d like live help. Many embraced the idea of a city helpline to call for free cybersecurity and IT assistance. Many also said they’d like one-on-one consulting with professionals who could asses their cyber maturity and recommend improvements.
Informational materials were also desirable, like a city web page explaining resources available to nonprofits.
The report details various actions the city could take, alongside estimates of the time and effort involved in doing so. Recommendations range from the aforementioned resources to annual city-hosted events where nonprofits could learn and network with cyber professionals; grant money specifically designated for nonprofits to get cyber tools or talent; and summer internship programs that would have students from higher education institutions help nonprofits with cybersecurity.
Municipalities are stable, long-term entities, making them better able to offer reliable cybersecurity support than some other organizations. And local governments tend to already have trusted relationships with local nonprofits, with the latter used to turning to their city agencies for help, Powazek said.
While this study focused on San Francisco, the team plans to conduct similar studies in different regions to understand local needs and the roles those cities could take in offering support.
Powazek intends that future studies will reach a mix of cities, not just other large metropolitan areas. Ultimately, the team hopes to be able to publish a set of core recommendations that proved relevant across different jurisdictions.
