Community organizations — including nonprofits, hospitals, schools, local utilities, city governments, and small businesses — deliver vital services to the public, but they are often the least prepared to protect themselves from cyberattacks. A new report from the Center for Long-Term Cybersecurity (CLTC) provides a strategic plan for addressing this challenge in the near- and long-term future.
“The Roadmap to Community Cyber Defense: A Path Forward from the Cyber Resilience Corps” — authored by Sarah Powazek, Director of CLTC’s Public Interest Cybersecurity Program, and Grace Menna, Public Interest Cybersecurity Fellow — is based on findings from the first year of operations of the Cyber Resilience Corps, an initiative co-chaired by CLTC and the CyberPeace Institute that brings together cyber volunteering leaders, private-sector partners, experts, and community leaders.
“To develop the report, we critically examined the structural barriers that lead to cyber insecurity among community organizations, and we charted a path forward to mobilize more cyber civil defenders and protect a growing number of community organizations from cyber attacks,” the authors explain in the report’s introduction.
Growing Threats — but Limited Access to Cybersecurity Resources
In the report, Powazek and Menna provide an overview of the significant security challenges facing community organizations. For example, they note that in 2024, 67% of global healthcare facilities were hit by ransomware attacks, jeopardizing patient care in underserved areas, while the global education sector (i.e., schools) experienced a 69% increase in ransomware incidents between Q1 2024 and Q1 2025.
Yet despite the growing threats, a range of structural challenges make it difficult or impossible for community organizations to defend themselves online. The ongoing cost of cybersecurity exceeds the budgets of most small organizations, and while a variety of software, guidebooks, and volunteer-based services are available on a free or low-cost basis, many organizations are not aware of these resources or are unable to access them. “Currently, there is no centralized way to identify what services are available or which organizations qualify, leaving the research burden to organizations whose time is already limited,” the authors explain.
Complicating the problem, government funding programs for community security — for example, through the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP) — can be volatile, increasing reliance on cyber volunteering groups to help plug the gaps.
Volunteer cyber support providers often struggle to help community organizations, in part because of legal and liability concerns. They also are challenged to collect standardized metrics on their impact, and while community organizations “make tangible and measurable improvements to their security posture while services… are rendered,” they often lack “the financial resources, human capital, and guidance to respond to evolving threats and technologies after the volunteer engagement concludes.”
The Roadmap: A Path Forward
In the report, Powazek and Menna detail a multi-phase “roadmap” for strengthening the cybersecurity of community organizations. “Cybersecurity support for community organizations cannot wait for long-term change; we all need a roadmap to show us the way forward,” the authors write. “There may be hazards, but if enough people pull over to lend a hand, all organizations can get on the road to cyber resilience together.”
First, they propose a “co-responsibility model” for cybersecurity that details which responsibilities community organizations can reasonably be expected to shoulder, and what duties should be shifted toward other, more capable actors. They argue that community organizations should “keep one hand on the wheel” but should not be “mechanics” — i.e., they should be responsible for understanding cybersecurity risk, and for seeking and advocating for solutions to those risks, but they should not be expected to have in-house cybersecurity expertise.
Powazek and Menna propose an “on-ramp” to address immediate gaps in services, with nine specific recommendations to rapidly assist local schools, cities, nonprofits, and utilities across three lines of effort. “Our recommendation for the near term (i.e., the next two years) is to scale free and low-cost cybersecurity services, especially cyber volunteering programs, for the benefit of small community organizations,” they write. “To sustain progress over time, we also recommend a five-year effort to simplify cybersecurity for non-experts and create pathways for long-term support.” The three lines of effort include:
- Maturing cyber volunteering programs, including by expanding collection of metrics on volunteer groups’ impact, clarifying liability protections for cyber volunteering, and improving volunteer and client matching;
- Expanding cyber volunteering programs, by prioritizing the most threatened organizations, investing in interconnectivity among volunteer programs, and investing in cyber volunteering; and
- Enhancing continuity of service after volunteer engagements conclude, by centralizing key template resources, bolstering hand-off procedures after engagements, and helping organizations finding full-time support.
In addition, the authors propose a long-term “destination” that the cybersecurity industry should work toward in order to shift the burden away from community organizations. They argue that companies should simplify cybersecurity for non-experts, including by promoting “secure-by-design” technology automating essential cybersecurity actions. They also argue that state governments should develop “shared services” for community organizations, including by leveraging pooled models to increase ccess to critical security resources for small organizations like cities, nonprofits, and utilities.
The report also emphasizes the importance of “embedding cyber knowledge in our communities,” including by developing “trusted messengers” from different spheres to help organizations understand their role in cybersecurity, and by teaching basic cybersecurity concepts in schools. “It is crucial for everyone to have personal cybersecurity awareness skills,” the authors write. “Learning these skills at a young age creates local workforces that are better equipped to deploy cybersecurity best practices and protect themselves and their loved ones from harm. After all, community security is national security.”
State Guidebook: Creating a Regional Cyber Support Ecosystem
The report includes a guidebook designed to help state governments develop “cyber support ecosystems” within their states and regions. “Protecting under-resourced organizations across a state is no small feat; many organizations have vastly different budgets, technologies, and missions,” the report explains. “However, several proven models have been developed to help small organizations better protect themselves from cyberattacks, and states can provide broad support to cities and counties by funding programs that offer free or low-cost cybersecurity services.”
The guidebook centralizes information on some of the most popular regional cyber defense programs, and features applied case studies and model legislation to facilitate adoption. Among the programs recommended are cybersecurity clinics, which train students at colleges and universities to provide pro bono cybersecurity services to community organizations, and student-staffed security operations centers (SOCs). States are also advised to promote the development of state civilian cyber corps programs, teams of cybersecurity professionals who volunteer to provide cybersecurity services, and nonprofit volunteering groups, which provide free or at-cost cyber resilience services to under-resourced communities.
Future Work
“The status quo — in which community organizations are expected to shoulder the entire burden of cybersecurity themselves — cannot continue, nor can we accept a future where cybercriminals frequently shut down critical community organizations,” the report concludes. “But there is a path forward by which cyber leaders at the regional level, from universities to nonprofits to state governments, band together to create local ecosystems of cyber support…. The Cyber Resilience Corps… looks forward to tackling the challenges of volunteer coordination and scale in the next phase of this initiative. We hope this report will inspire our fellow leaders to take action — to invest not only in sectors but in entire communities — and to play their unique part in this cooperative journey toward a just and secure prosperous future.”
