Cyberattackers Don't Care About Good Causes

CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Cyberattackers Don't Care About Good Causes Sightline Security's founder and advisory board discuss how cybersecurity poses significant problems for nonprofits and suggest ways the industry can help. Arielle Waldman,Features Writer,Dark Reading March 13, 2026 SOURCE: IBREAKMEDIA VIA ALAMY STOCK PHOTO Nonprofits work to provide free or reduced cost aid, education, and essential resources throughout communities worldwide, but they often struggle to meet their own needs, particularly when it comes to cybersecurity. While they're busy helping others, who's there to help them address increasingly dangerous security gaps?  Experts gathered for an exclusive Dark Reading roundtable agree that approaches need to shift. Better incident reporting, technologies, training, and attention are among the measures needed to face a rising threat, they said, yet are skeptical that nonprofits have the resources to build those defenses.  Threat actors heavily target nonprofit organizations because they hold highly sensitive information, yet many operate with weaker security postures due to a lack of funds and skilled security professionals. However, it is difficult to measure the extent of incidents due to a lack of dependable data. (Read more in "The Data Gap: Why Nonprofit Cyber Incidents Go Underreported.") Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported Nonprofits Are Critical Infrastructure It's unclear if a majority of organizations can implement all the practices they should to maintain strong security postures due to limited resources or because they don't take security seriously enough, and it's especially hard for nonprofits, stressed Wendy Nather, senior research initiatives director at 1Password.  But support is essential, she said, because "nonprofits are the other critical infrastructure" since they provide enormous aid to people in life-and-death situations.     "A lot of people depend on this, especially during natural disasters, so they hold a lot of important data," Nather said. "Most of the industry doesn't understand: Nonprofits are as critical as other parts of the industry, but they don't have the attention, resources, and support that they need." Nather and Sightline Security CEO and founder Kelley Misata, Ph.D., are among four Sightline Security advisory board members who attended the roundtable with Dark Reading, alongside Dave Lewis, global advisory CISO at 1Password, and Noma Security CISO Diana Kelley. Board member Tony Welz, principal and co-founder of W2 Communications, moderated the panel by focusing on the challenges nonprofits face, how vendors and peers both help and hinder the problem, and ways nonprofits can raise security standards.  'Too Much Security Can be Onerous' One burgeoning challenge is how can nonprofits keep pace with emerging, advanced technology when they haven't even mastered the basics. Cue artificial intelligence (AI), which even the more mature organizations struggle to implement securely.  Related:Grandparents to C-Suite: Elder Fraud Reveals Gaps in Human-Centered Cybersecurity Nonprofits are conditioned to look at tools like Claude.ai and check whether they offer nonprofit pricing, explained Misata. However, as a security professional, that sets off alarm bells. The discounts may be good, but the risks could be even greater. The free versions of many of these tools can tap the user's data to train models and compromise the information.  Implementing those tools presents lots of unknowns and nonprofits aren't asking the right questions: Do I need that tool? Is it secure? Therefore, it's not fixing the security problem, Misata added.   "Where we're seeing challenges is: They love all these solutions, particularly all these sexy ones like the AI tools, but they don't know from a security standpoint what they need," she said. "They're just looking at the flavor of the day."  If they don't have the people and expertise to run those tools, giving nonprofits free stuff is not going to help, echoed Nather. For example, they need people to watch the log monitoring, a critical component of strong security. Even if vendors and peers give nonprofits too much money, that can be just as overwhelming as new technology, said Kelley. She warned that approaches need to be taken carefully. While "too much security can be onerous and not as useful for them,” rushing into new technologies "can lead to adopting things in a way that's not entirely secure," she said.  Related:How Nonprofits Can Evade Ransomware Attacks The Human Element Like everything cybersecurity-related, the human element poses another obstacle. Many people in the industry don't help nonprofits simply because it's not in their best financial interest, and many nonprofits can't afford security talent who can earn a higher salary at a private shop across the street, said Lewis. Financial concerns compounded especially in the past year due to the economic realities that many industries are facing. They don't have the funds available to do as much philanthropic work, and that's having a knock-down effect for nonprofits, added Lewis.  When allocations shift and donors aren't giving as much throughout the year, nonprofits become distracted looking for new fundraising models. That bites into any security upgrades. "Having to fill in the gaps of funding that are drying up, that's making them desperate. That's making them scared. That's making them distracted," Misata said. "So they're going to struggle with keeping on top of security that's already new and challenging for them." Kelley has observed a similar trend where some large security vendors "will on purpose ignore nonprofits" because they don't have the kind of money that for-profits have to spend. That trend was common across the roundtable.  "Too often, even as human beings, we will go into a nonprofit with a paradigm of 'you're poor, you're less than,' bucketing all nonprofits into a one-size-fits-all mentality," Misata said. "When you're looking through the lens of security, that can be really dangerous." Instead, it's vital to look at them as a business — an important lesson Misata and others on the panel said they have learned. Seeing nonprofits as a business is shifting the conversation, she added.    Check Your Security Ego at the Door The panelists continually stress how important it is to recognize that nonprofits don't fit into one bucket; they comprise different sectors, from healthcare to finance, have different missions, and operate with different risk profiles. That translates to different threat landscapes, business models, and customer bases.      "You've got to be able to sit with organizations and connect and understand them," Misata said.      Though panelists agree that many large enterprises ignore nonprofits' struggles, some do dedicate philanthropic efforts to support them. Kelley, a former Microsoft chief technology officer, highlights that company as one example.  "My message to nonprofits: Find the companies that do this," Kelley said.      When companies do help nonprofits decide what their security priority is, they can often act on it quickly, said Nather. If nonprofits decide something is important enough, they can do ahead and do it, she added.  But security professionals must approach nonprofits with a different perspective, leaving the "security is the most important" mindset behind. Many business imperatives come way before security for any organization, and it's the same with nonprofits; their mission comes first, Nather said.   "We might said, 'I can't believe you're using SMS for two-factor authentication. How can you do that?'" Nather said. "Meanwhile, someone is freezing to death on the street corner. You've got to have the right perspective when you're working with critical infrastructure like nonprofits." Read more about: CISO Corner About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK Why Data Privacy Isn't the Same as Data Security by Chris Borkenhagen APR 10, 2025 CYBER RISK Nation-State Groups Abuse Microsoft Windows Shortcut Exploit by Alexander Culafi, Senior News Writer, Dark Reading MAR 19, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge THREAT INTELLIGENCE Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 MAR 16, 2026 THREAT INTELLIGENCE The Data Gap: Why Nonprofit Cyber Incidents Go Underreported MAR 13, 2026 CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans MAR 12, 2026 CYBER RISK A Guy Who Wrote the Code Died in 2005. I Still Have to Secure It MAR 11, 2026 Read More The Edge Want more Dark Reading stories in your Google search results?