On April 17, state leaders, local officials, and nonprofit leaders gathered in Seattle’s City Hall for the “WA Nonprofit Cyber Forum: Research & Resources,” a half-day event aimed at helping close the cybersecurity resource gap facing nonprofit organizations in the state of Washington. CLTC hosted the event in partnership with the City of Seattle and Washington Technology Solutions (WaTech), the state’s central IT and cybersecurity agency.
The forum was presented as part of CyberCAN: Cybersecurity for Communities and Nonprofits, a CLTC-led initiative to improve local governments’ understanding of nonprofits’ cybersecurity challenges. CyberCAN launched in 2023, when CLTC partnered with the City and County of San Francisco to assess the challenges facing local nonprofits. Building upon that research, CLTC partnered with WaTech to undertake a new regional study between 2025 and 2026 focused on nonprofits located in Washington State.
“The organizations that provide some of the most critical services to our residents are often the least prepared to handle cybersecurity threats,” said Sarah Powazek, Program Director of Public Interest Cybersecurity at CLTC, in welcoming attendees to the event. “The goal is to connect nonprofits to the resources and information they need to be able to better protect the information of their beneficiaries.”
Bill Kehoe, Director of WaTech and the Chief Information Officer (CIO) for the State of Washington, explained in his introductory remarks that he had seen first-hand the challenges many nonprofits face in maintaining baseline digital security. “I look at nonprofits as an extension of us in government,” Kehoe said. “Nonprofits struggle with technology in general because they’re not in the business of being technologists, they’re in the business of serving the critical needs of residents.”
Joy Hollingsworth, Seattle City Council President, also emphasized the vital role nonprofits play in serving local citizens. “The attacks have gotten more sophisticated and are coming at nonprofits at a rapid pace,” she said. “The City [of Seattle] and State [of Washington] are really committed to doing what we can do to partner with our nonprofit community to help with that.”
“City Hall is the front porch to city government, but you all are the front porch to the folks,” Hollingsworth added. “We want to make sure the city is not only a provider of funding, but a provider of resources.”
CyberCAN Washington: A Data-Driven Wake-Up Call
As a key part of the event, researchers from CLTC’s Public Interest Cybersecurity program presented findings from their report, “CyberCAN Washington: A Regional Assessment of Nonprofit Cybersecurity and Strategic Recommendations for Washington State,” which provides recommendations for state and local governments to bolster the digital security of Washington-based nonprofits. “We publish a lot of reports, but none of that matters unless we… work with folks hand-in-hand to make sure that what we learn gets translated into action,” Powazek explained.
Shannon Pierson, Senior Research Fellow at CLTC, provided an overview of the research, which was based on a mixed-methods approach that included a survey of 100 nonprofits representing 54% of all counties in Washington, as well as interviews with nonprofit leaders. Among the key data points found through the study: 79% of surveyed Washington nonprofits reported experiencing at least one cyberattack in the last three years, and nonprofits have an average of just one IT staff member for every 162 total staff and volunteers. Nonprofits’ resources are also highly constrained: 69% of organizations have no dedicated cybersecurity budget, and for those that do, the average annual spend is just $4,311, roughly 10% of what a comparable small business might spend.
“Nonprofits frequently experience cyberattacks that disrupt operations, cause financial losses, and expose sensitive data,” Pierson said. “In other words, cyberattacks for nonprofits are both common and very consequential…. Many nonprofits just are not ready to respond or recover from a cyber incident. Half don’t have instant response plans, nearly half lack a business continuity plan, and 40% don’t carry cyber insurance.”
The researchers next provided an overview of recommendations from their research. The report recommends that nonprofits reduce their collection and storage of sensitive data, which Powazek explained helps in “protecting residents and your own organization without necessarily having to spend any money on hiring IT staff…. The best way to protect data is to not have it.”
The report also recommends that city and county governments help connect nonprofits with support resources, such as “incident response playbooks” detailing how to respond to a cyberattack. Recommendations for Washington’s state government include establishing a working group on nonprofit cybersecurity, increasing grant funding, and facilitating the sharing of cybersecurity services and tools. “We encourage the state of Washington to think about what their role could be in the future to help nonprofits with this challenge,” Pierson said.
Panel: Reflections on the Report — and Policy Recommendations
Following the presentation of the research findings, a panel of state and local government representatives discussed the report’s policy recommendations, as well as practical pathways for closing nonprofits’ resource gaps. Moderated by Shannon Pierson, the panel included Bill Kehoe along with Jake Hammock, Assistant Chief Technology Officer (CTO), Security & Infrastructure Director and Chief Information Security Officer (CISO) with the Seattle Information Technology Department, and Esther Magasis, Director of Human Services for Yakima County.
Kehoe was direct about the government’s responsibility, and suggested that IT support should be baked into the funding nonprofits receive to deliver state services. “You can’t say, ‘Here’s some grant money!’ and then totally ignore the IT component. We wouldn’t do that for a state agency. You wouldn’t do it for a county or city. That’s the mindset we have to have here. We have to put more emphasis when we contract with a nonprofit that there are things that have to be in place.”
Seattle CISO Jake Hammock addressed the “island” feeling many nonprofit leaders experience during a cyber incident. He emphasized “solution transference,” the idea that the city and state can share the tools they use with nonprofits and other entities. Hammock also announced that the City of Seattle was providing free YubiKeys (hardware security tokens) to attendees. “We want to secure these endpoints starting today,” he said.
Esther Magasis brought a crucial rural and social-service perspective. She noted that frontline workers are not technologists, but passionate advocates for people in crisis. “No one goes into social service work because they’re passionate about filling out forms,” Magasis said. She highlighted the “tension” between the need to collect data for funding and the risk that data poses to marginalized communities, such as those seeking immigration or domestic violence support. “Most nonprofits are… going into the work because they’re passionate about the person across the table from them. That’s their number one priority, and everything else fades to the back,” she said.
Support for a “City of Goodwill”
The event concluded with a Cybersecurity Resource Fair to connect nonprofits directly with vetted cyber volunteering nonprofits and managed service providers (MSPs/MSSPs) specializing in nonprofit support. Nonprofits had the opportunity to learn about available services and resources, ask questions, share their cybersecurity experiences, and sign up for free, pro-bono cybersecurity assistance.
Jennifer Ray, Director of Technology Engagements at Apparo, a provider of technology services for nonprofits, introduced “Tech Therapy,” offering pro bono expert advice to help nonprofits shift from a reactive to a proactive tech stance. Adam Eads, Senior Program Manager of Solutions & Services at TechSoup —an organization that connects nonprofits with discounted or donated software, hardware, and IT services from major tech companies — announced a special grant allowing 20 Washington organizations to receive a free year of “TechSoup Plus,” a premium membership tier that includes one-on-one consultations.
Xavier Huber from CyberPeace Builders — a network of cyber volunteers coordinated by CyberPeace Institute— demonstrated a platform that matches nonprofits with vetted cybersecurity volunteers from major global corporations. And Dan Hernandez, founder of MSP Professional Computer Support (PCS) and a board member for several nonprofits, offered a pro bono, level-1 risk assessment (typically valued at $5,000) to help organizations identify their vulnerabilities before a hacker does.
The message from the podium was clear: the “cybersecurity divide” — the gap between organizations that have sufficient resources for digital security and those that do not — is real, but it is not insurmountable if the public, private, and nonprofit sectors work together. “Our city stands for the City of Goodwill,” Jake Hammock concluded in his closing remarks. “Events like this are where these ignition programs start. We want to hear from you… Where will you show up in the spirit of others?”
CyberCAN Washington: A Regional Assessment of Nonprofit Cybersecurity and Strategic Recommendations for Washington State
