A new report from CLTC’s Public Interest Cybersecurity Program examines the cyber threats facing nonprofits in Washington — and offers guidance for how the state government can support their digital defense.
Nonprofit organizations in the state of Washington face an array of cybersecurity challenges that threaten to prevent them from delivering vital services, according to a new report from researchers with the UC Berkeley Center for Long-Term Cybersecurity (CLTC) Public Interest Cybersecurity Program.
The report, “CyberCAN Washington: A Regional Assessment of Nonprofit Cybersecurity and Strategic Recommendations for Washington State,” examines the cybersecurity threats facing Washington’s nonprofits, and provides recommendations for state government leaders to help these organizations bolster their digital defenses.
Authored by Shannon Pierson, Senior Research Fellow, Sarah Powazek, Program Director of Public Interest Cybersecurity, and Nicholas Perematko, Student Researcher, the report was produced as part of Cybersecurity for Communities and Nonprofits (CyberCAN), an initiative through which CLTC partners with local and state governments to provide digital security assistance to nonprofits operating in their communities. CyberCAN first launched in 2024 when CLTC conducted research in partnership with the City and County of San Francisco.
“Nonprofits like food banks, homelessness services, and community development organizations provide critical and time-sensitive services to local residents and are fixtures of community support for people of all ages. But nonprofits are also among the most common targets of cyberattacks and among the least prepared to defend against them,” the authors write. “This report set out to help state and local governments better understand the current cybersecurity posture of nonprofits and identify where public and private sector support can most effectively intervene to strengthen nonprofit cyber resilience.”
To produce the report, CLTC partnered with Washington Technology Solutions (WaTech), a government agency that provides enterprise IT service, support, strategy, and security for public agencies and municipalities across the state. The researchers surveyed 100 Washington-based nonprofits to understand the challenges they face regarding cybersecurity staffing, budgets, data protection, incident response, and other key indicators of cyber defense. They also conducted interviews with nonprofits about cyberattacks they have experienced, and they interviewed government personnel in IT and human service departments to interpret the survey data in the context of practitioners’ lived experiences.
The survey surfaced four main findings for Washington-based nonprofits:
- Nonprofits frequently experience cyberattacks that disrupt operations, cause financial losses, and expose sensitive data.
- Nonprofits carry significant cyber risk because they collect sensitive information and have limited adoption of essential cybersecurity controls.
- Nonprofits do not have the capacity to invest in cybersecurity due to insurmountable staffing and budget constraints — trends very likely to continue.
- Nonprofits struggle to prioritize cybersecurity until an incident occurs and lack the knowledge to make necessary improvements in the aftermath.
“These findings from Washington State validated findings from San Francisco: nonprofits in both regions faced similar digital threats and suffered from severe understaffing in IT and cybersecurity,” the authors write. “However, building on the San Francisco findings, we now know that these hardships are most pronounced in the smallest nonprofits, which had larger gaps in staffing and were less likely than large nonprofits to invest in cybersecurity resources like managed service providers (MSPs) or managed security service providers (MSSPs).”
Recommendations
The findings informed a series of recommendations to help “capable actors like the State of Washington, WaTech, and large cities and counties to play a greater role in nonprofit cybersecurity.” These recommendations were developed by CLTC alone based on our analysis of the survey and nonprofit interviews. These recommendations include the following:
- Nonprofits should reduce the amount of sensitive data they collect.
- City and county governments should play a coordinating role in connecting local nonprofits to cybersecurity resources that align with their budgets and needs.
- The State of Washington should establish a short-term working group on nonprofit cybersecurity to define and operationalize local government coordination.
- The State of Washington should include nonprofits in the full scope of support provided by centralized resources, such as the Washington Volunteer Cybersecurity Incident Response Team (CIRT).
- The State of Washington and well-resourced city and county governments should offer shared cybersecurity tools and services to nonprofits..
- The State of Washington should invest in expanding and strengthening supportive programs tailored to the cybersecurity needs of nonprofits.
“It is clear that without intervention, Washington nonprofits delivering social services will continue to face existential cybersecurity threats from which they may not recover,” the researchers warn. “We urge the State of Washington and leading governments in Seattle, Redmond, Bellevue, Tacoma, and many other cities and counties to bring nonprofits under the umbrella of public entities receiving digital protections and cybersecurity support.”
