Not-For-Profits and Cybersecurity Breaches: What Are The Risks?

For those working for or with charities, it’s incredibly important to understand the cybersecurity risks that affect the not-for-profit sector. As charities run without making profit, it can be incredibly hard to justify regular outgoing expenses on cybersecurity, but when dealing with large sums of money, confidential information and more, they pose an easy threat to malevolent hackers.

As a charity, the focus will always be first and foremost, on the beneficiary/ies, whether this is people, the climate change debate, animals or a specific cause. Whatever it is, the priority will always be a beneficiary.

However, when looking at the current risk of cybersecurity breaches and the impact this has on the charity sector, there is much to be concerned about. One such major concern is the Pegasus software, owned by NSO Group, which has been brought up in many cybersecurity circles in recent years due to the software’s ability to be placed on a subject’s phone without them realising. Used against human rights activists who go against certain government states, it’s a growing concern for 2022.

The Risks for Charities in 2022

In 2022, the digital world continues to develop, and with that, comes the growing development of hacking.

Cybercrime, and everything that comes under the umbrella of it, has been increasing in recent years. In 2018, only 19% of charities reported a breach, but in 2021, 26% of charities reported a breach, and many more may have happened unknowingly.

And now, with remote working becoming ever more commonplace and permanent for staff across the world, this poses another cybersecurity risk. For those not using company provided technology, whether this is a mobile phone or a laptop, there is an increased risk of hacking.

However, as reported by many across the globe, a serious concern is state sponsored spyware, especially the Pegasus software.

What is the Pegasus software?

Pegasus is a highly advanced spyware program, created by Israeli company NSO Group. Its intended use is to fight crimes such as terrorism, paedophile rings and large scale drug abuse, but it’s been repeatedly used for state sponsored spying on various parties.

For the last few years, there has been increasing concern over Pegasus, and NSO Group’s seeming lack of responsibility over the use of it. While their website states that “[NSO Group] does not and will not license Pegasus to potential nation-state customers that, following its human rights-focused due diligence process, it believes to have inadequate country-level protections in place to confidently prevent product misuse, or where the rule of law creates an unduly high risk of misuse.” There has been an increasing number of press coverage on nation states using Pegasus to spy on intermediary bodies such as journalists, human rights activists and more.

In fact, Amnesty International reported that the Pegasus software had been installed on the phone of the fiancée of murdered journalist, Jamal Khashoggi. Khashoggi was murdered four days before the software was installed on his fiancée’s phone. Amnesty International themselves have been targets of Pegasus, with activists receiving infected text messages.

How does Pegasus work?

Pegasus is a highly advanced spyware solution. It works by infiltrating a person’s device, either through a malicious link clicked, or now by ‘zero-click’ whereby a person does not have to do anything to become infected.

Once on someone’s phone, it turns the phone into a spying device, reading every communication on their phone, remotely accessing their camera and microphone and tracking someone’s location. If used, it is an extremely powerful weapon against someone.

Pegasus essentially harnesses a person’s phone and scalps data from it, creating a minute-by-minute log of activity they are carrying out.

Why Are Charities at Higher Risk?

Charities are often seen as easy targets by hackers. As a charity may often use personal devices to conduct work, have a volunteer network of less qualified or technologically-competent people and use outdated equipment, it provides a breeding ground for attack.

Similarly, those that use personal devices for work related purposes will often make it known through linking their work email to their phone. This particular method of identification became known recently, when US State Department workers who linked their state.gov email address with their Apple ID, were targeted while working in Uganda, an area of high political tension currently. While NSO Group says they have prevented their intrusion method from working on US phone numbers beginning with +1, if someone is using another phone number, or has an obviously identifiable email address, then they put themselves at high risk.

As found in the cybersecurity report by the UK Government, charities have actually seen a reduction in good risk management and preparedness. Due to COVID stretching funds few and far between, charities have actually seen a drop in malware protection (69%, vs. 78% in 2020) and network firewalls (57%, vs. 72% in 2020).

How Can Charities Protect Themselves?

In 2022, cybersecurity for charities is going to become ever more important. But how can charities protect themselves in this year of unknowns?

Use a VPN for any work conducted

Using a VPN for work done on personal devices, or at home, can be helpful to protect the work you do. It allows you to encrypt network traffic, making it harder for malicious actors in the network to observe your communications and try to identify any work you do.

Set up Two Factor Authentication (2FA)

By using two factor authentication, you can ensure any of your accounts are protected against unwanted logins. Two factor authentication requires a second verification step on each login, such as a text message, using an authenticator app, or pressing a button on a trusted device.

Educate all staff and volunteers on best cybersecurity practice

As part of onboarding, and then at regular intervals, all staff and volunteers should be trained on cybersecurity, how to spot phishing scams, and what to do if they suspect anything. This training is required legally in some cases, but is strongly recommended for anyone working with a company or charity.

Print Friendly, PDF & Email
Cybersecurity Content Curator at

Kitty Bates is the Cybersecurity Content Curator at ramsac, providing insights on cybersecurity and IT services for charities, businesses and education.

Leave a Reply

Your email address will not be published. Required fields are marked *