Toolbox: Cyber Criminals Profiting From The Not-for-Profits

With budgets stretched to the breaking point and the pandemic wreaking havoc on operations, the last thing a not-for-profit (NFP) organization needs is the catastrophic expense of a ransomware attack. 

With one errant click or keystroke, an email attachment from a cybercriminal can unleash a payload that can quickly spread throughout an organization, rendering computers and servers useless in a matter of minutes. From there, the options are very limited: the NFP can pay the attacker in the hope that they are provided with the key to removing the ransomware or go through the arduous process of wiping and restoring systems so that they are once again functional. 

There is, however, a third option: prevention. The following efforts are examples of what not-for-profits can do to proactively fortify their cyber defenses and exponentially increase their chances of remaining safe and secure. 

Cybersecurity Risk Assessments

Completing a cybersecurity risk assessment will help you identify your most critical systems and data, recognize and prioritize gaps, and build a roadmap to a safer and more secure environment. 

Security Awareness Training

Once you have established a cybersecurity awareness training program, it’s critically important to then incorporate a trust but verify approach. The best verification method to ensure all employees can identify spear phishing emails is to simulate these types of attacks. These simulations will reinforce the training concepts and identify those employees that need additional guidance.

Penetration Testing and Vulnerability Assessments

A misconfigured network device or missing security patch can open the door for cyber criminals to enter your business.  Conduct penetration testing and vulnerability assessments on a regular basis to simulate what a hacker can see to identify and address any vulnerabilities before an actual attacker can leverage them. 

Threat Hunting

Threat hunting involves searching for hidden or undetected cybersecurity threats within a network that have circumvented endpoint security protections. Using various methods, threat hunters scrutinize a company’s technical assets for anomalous behavior that may be indicative of malicious activity.

Kevin Ricci is a partner in Citrin Cooperman’s Technology, Risk Advisory, and Cybersecurity (TRAC) practice with more than 25 years of experience in the information technology field providing clients specialized technology expertise and cybersecurity solutions.  For more information on securing your NFP organization, contact Kevin Ricci at