Community IT Innovators Nonprofit Technology Topics

2025 Nonprofit Cybersecurity Incident Report with Matt Eshleman pt 2

Community IT Innovators Season 6 Episode 18

Share episode

2025 Nonprofit Cybersecurity Incident Report: Keeping Your Nonprofit Secure

Community IT CTO and cybersecurity expert Matt Eshleman delivered our annual report on trend lines and took questions live and online in this popular annual webinar. 

In part 1, Matt discusses the landscape and background of cybersecurity attacks nonprofits face now, goes over the lingo and acronyms, and introduces new trends in attacks and protections. In part 2, Matt discusses the data from 2024 and takes questions.


Is your nonprofit prepared?

Drawn from anonymized data from the calendar year 2024 of cybersecurity incidents across end users in hundreds of our small and mid-sized nonprofit clients, this report shows changes in attacks and emerging threats.

Using this real and timely data, Matt walks through recommendations and outlines the practical steps your organization can take to prevent the most frequent attacks. 

He covers new threats and training best practices for your nonprofit staff around evolving cybersecurity issues, including a spike in online and in-person harassment, wire fraud, AI-enabled scams, smishing and vishing, adversary-in-the-middle MFA attacks, and other new and disturbing trends.

You may also be interested in downloading the free Cybersecurity Readiness for Nonprofits Playbook to review a framework for focusing on your cybersecurity fundamentals, or using any of our free cybersecurity webinars and podcasts to learn more about specific protections you can take.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

_______________________________
Start a conversation :)

Thanks for listening.


Carolyn Woodard: Welcome, everyone, to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for 2025 with Matthew Eshleman. My name is Carolyn Woodard. I'm the Outreach Director for Community IT, and I'll be the moderator today.

Matt Eshleman: My name is Matthew Eshleman. I'm the Chief Technology Officer here at Community IT. 


Incident Report: The Data

We support about 200 organizations, about 8,000 staff. We’ve categorized these threats in a couple of different categories, from high risk to medium and low risk threats. 

In the high-risk threat category, we have something called brute force attacks. That’s something we really see with organizations that still have on-premises server infrastructure. That number of servers we support continues to really plummet, but organizations still have it. 

If a server is connected to some cloud resources or has any exposure to the internet at all, we see these types of attacks initiated, particularly for us whenever we onboard new organizations. This is one of our specific threat monitors that we turn on. Whenever we onboard a new organization, often we’ll see these monitors trip, because maybe a previous provider had a port open to the internet. They weren’t really looking for it. But if anything is open to the internet, it does get targeted. Brute force attacks focus on physical server infrastructure. 

Compromised accounts, we had 32 of those last year. 

And then in the single digits, advanced persistent threats.

And we did have a couple of cases of wire fraud. 

Ransomware was zero again. 

I think the other thing I’ll just call your attention to is just the number of compromised accounts suspected that we responded to. It was almost 500. This reflects Community IT adding more tooling to help identify these. But we’re also getting a lot of noise.

And I think that’s one thing we’ll flag here in some of the later slides. When there’s an increase in attacks, there’s an increase in the noise as well.

Whenever we compare this year over year, I think this is the thing that gives me a little bit of hope is that there’s actually some red, right? We actually saw a reduction in a number of the attacks year over year. Most notably, I would say, in the confirmed account compromise, right? We went down from a high of 44 in 2023 down to 32. About a quarter, a 20 percent reduction there. We did have more suspected account compromises. Again, a reflection, I think, of more security tools that we had in place to monitor logs and alert us to that.

We saw a reduction in the advanced persistent threats that we were responding to. And a reduction in wire fraud again. So even going from six to three, I think that’s a mark of success. It’s still a relatively low number overall, when you put it in perspective. But those three wire fraud incidents were significant to the organizations that were victims. 

And again, we had kind of nominal numbers in terms of viruses, malware is kind of in low, relatively low amount as well. I think part of that is the sample size, right? For our customers, we’re managing updates, we’re deploying antivirus, doing third-party patching, right? We’re investing a lot.

For organizations that are making those investments, the endpoint protection is relatively low risk area.


Advanced Persistent Threat Techniques

Carolyn Woodard: Without naming names, can you give an example of the Advanced Persistent Threat?

Matt Eshleman: Yes. I mean, there’s lots of the Chinese and North Korean state actors. So, they target our clients that do policy work.

We’ve had a couple of cases where that example that I shared about setting up an interview through Zoom, but then the Zoom interview doesn’t really work. They’ll say, give me your WhatsApp information. I need to send you my WhatsApp. And then they move it out of corporately controlled resources into something else. That’s something that we see quite a lot of, that kind of attack vector. 

The other thing we see with Advanced Persistent Threat Actors is that they will take names of trusted analysts at other organizations and then create very sophisticated spoofed accounts of those individuals and then initiate those conversations. They don’t start off with, hey, can you click on this? But it’s often, hey, I want your input on this paper. We’re convening a meeting. We’re talking about this resource.

And so there will be a steady buildup of communication with the ultimate goal of, yes, having that Zoom meeting, having that interaction where they can get you to click on a link, to open up some software, to do something else to circumvent those controls. 

Spam, spoofing, spearfishing, all of the junk email just continues to increase year over year. I mean, this is one thing that we do train our clients like, hey, if you have something suspicious, send it our way. This is just stuff that clients have sent to us. This doesn’t even represent the things that the spam tools are blocking, right? There wouldn’t be a chart big enough scale to show how much stuff we’re already blocking. This is just the stuff that’s getting through. 

Here we’ve got two different scales. The left scale would be the spoofing. So again, 400 or so message of those are reported. And then the spam, the stuff that people, you can unsubscribe, you can block on your own. You don’t want it; you can get rid of it. But that number does continue to climb year after year. 


Trends for 2025

What can we see? I don’t know, maybe the peak is over in terms of cyber threats.

When I was looking at the data, kind of reflecting back on it over the year, some of the stuff that we are talking about in terms of phish-resistant MFA and maybe the maniacal focus on security awareness training, I think just how effective I think that is. I think it’s paying dividends. 

And I think the other piece around that is I think the staff are aware of wire fraud. I think a lot of organizations, particularly those that do microfinance or that kind of granting have been stung in the past. I think organizations have improved their financial controls internally. They have built not only improved technical protections, but also process improvements to say, if we’re going to make a wire change in wire payment information, we call the person from a number we already have. We have to have a Zoom meeting with a person to confirm this. We don’t just do stuff over email as the only way. 

I think the other piece is that, and we saw it a little bit in the data, right? The new tools are in place that require additional monitoring capabilities. For a lot of those account compromises, we were able to respond to those because we have tools in place that alert us when something suspicious is happening, but they still have a pretty high false positive rate. One of the things that we’re struggling with is managing the volume of alerts, right?

We had almost 500 alerts for suspicious logins, but there were only 30 true account compromises. I’m glad we knew about it because we can respond quickly, but it doesn’t mean that there isn’t a lot of noise that we have to filter out. 

I think organizations are taking that step to invest in their protection. And there’s a lot, I think a lot of great tools, right? So even a couple of years ago, I would say that area was pretty immature. But now I feel like we’ve got really great cybersecurity protection tools available to help guard against the most common threats like spam and email-based attacks. There are  really good tools that we can implement to help protect against that. And the same thing with cloud identity protection. There are really good tools now to help identify, monitor, even proactively block whenever something suspicious seems to be happening. And then I think there is an opportunity. 

Protection needs to expand beyond the boundaries of work. I think we had a blog post to talk a little bit about some things that you can do to protect your own personal digital identity, because that does seem to be at risk more and more, you know, particularly in those kind of focused organization sectors.


Nonprofit Organization Protections

So, it’s not all necessarily doom and gloom, and I always like to talk about, well, what can we do to protect your organization? 


Policy Foundation/IT Governance

And, you know, it really comes back to that policy foundation. If organizations have not taken that step already, or maybe have a policy that was adopted a while ago and hasn’t been updated, that’s a good opportunity to start.

IT acceptable use, just kind of that general framework, right? Incident response. And I think this is one, it’s important for organizations to have. If Community IT is your IT partner, we have our incident response policy, right? That’s what we do. Whenever you tell us you have an incident.

But organizations need to have that for themselves as well. You know, what do we do? Calling your IT provider is part of that, but there’s probably other things that you need to do as an organization beyond just talking to your IT partner.

AI acceptable use. Again, there’s lots of great AI policies. I think the challenge for them is not the policy itself, but it’s the implementation, governance and ongoing support.

Having that disaster recovery, disaster response plan, and then data retention policy. I will just say that this is something we’re seeing organizations be more attentive to, particularly in the last couple of months. Just how much data are we retaining, particularly on email, and making sure that if we say, hey, we’re going to keep data for a year or 18 months or two years, that those policies are then followed up with the mechanism to actually purge out data after those times.


Security Awareness Training

Again, security awareness training, we’re big fans of that. It doesn’t need to take up a lot of time, but it needs to be part of the culture of the organization. It also gives you an opportunity to talk about security at your staff meetings, results, phish tests, all those things that I think are important and just help to build a culture of security.

For organizations, I think phish-resistant MFA is a big thing to focus on. It doesn’t necessarily need to be everybody in the organization. It’s a little bit of a higher lift than the MFA that we all have in our pockets, but it’s an important step, particularly for folks in the finance, IT, maybe HR, people that maybe have access to more sensitive information.

As we’ve seen, spam and spoofing like that is the biggest threat organizations face. It’s where a lot of the attacks start. There’s clickjacking, all that stuff really starts in e-mail. If we can reduce that, I think that reduces the surface area for attack. A third-party e-mail filtering tool is really important to help protect against that. The same is Cloud Identity Protection. This is a new solution area that has really matured in the last year or so. Now, there’s really good tools that are worth leveraging that have a much lower false positive rate that can help identify, like, hey, this suspicious Cloud account doesn’t look right, like we’re going to lock it automatically or have built-in alerting rules to help protect against those account compromises. 

Then finally, the basics, patching, updating your computer. It’s all boring. Restarting your computer once a week, that’s actually a great security thing that you can do. Doesn’t take much time, but it’s important because it helps all those security updates get applied and keep your device secure.

Carolyn Woodard: We do have our Community IT Cyber Offerings. That’s at communityit.com/cybersecurity. You can find how we think about it and what we offer, and also a bunch of free resources as well that I’ve been sharing here in chat and I’ll put in the transcript.

And of course, they’re on our site. You’ll also find the link to schedule some time with Matt there to grab some time and talk to him about your cybersecurity questions or if you need an assessment. 

We do have a monthly webinar series. Next month, it’s going to be May 28th. We are going to be talking with Nuradeen Aboki about IT essentials for your nonprofit in these challenging times. He’s going to talk with us about making the hard choices in our current climate and facing challenges with your essential IT intact. We’ll talk about governance that helps you manage risks and how to budget wisely. We’ll also talk about in-house versus outsourcing IT and where you can find some value there, especially if you’re facing staffing cuts or major disruptions in your programs or your funding. We’ll talk about how you keep your IT lights on in the midst of changes to your nonprofit, and also how do you maintain a healthy workplace with all of this mounting stress as we’re continuing to deal with all these challenges.

That’ll be at 3 PM Eastern, Noon Pacific on Wednesday, May 28th. I’m going to share the link for that as well. You can register for it right now. It’s just going to be on Zoom. We really appreciate you joining us for these monthly webinars. We love sharing our information and resources with the community.

And I just love that the chat today was really active. People were sharing ideas and information. So Matt, if you can stay on for a minute or two, and if the people in the Zoom can stay on, we have a couple of questions for you.

I do want to go back over our learning objectives. We were going to learn about a basic approach to cybersecurity, the trends in the attacks and the organization protections that we saw in 2024 and beginning in 2025 as everything is changing, we wanted to understand evolving security best practices and learn the role of governance policy and training in protecting your nonprofit from these common scams and from new scams that are coming up. 

We’re hoping that you’ll hear about it here, be able to train your staff on it before they see it in the wild and they see the pastejacking or the other types of new scams that are coming through. I hope that was helpful. 


Q&A

Now we’ll go to Q&A and I want to make sure that if we have Q&A questions in the room as well, we can ask those. But there were a couple in the chat. One is,


Do you have any advice for communicating these threats and individual responsibility against cyber-attacks with staff, especially if you’re not getting responses, folks aren’t reading their e-mails, et cetera?

Matt Eshleman: Yeah. I mean, I think it’s a challenge. And I think it’s something that really starts from the top.

When we talk about security awareness training, it’s something that whenever we kick it off, we ask for time at a staff meeting and we ask to be introduced by the executive director. It’s something that really starts at the top and is something that everybody needs to be involved in. And so, if your organization, if you’re an executive director or your operation staff are like, ah, security awareness training is something for everybody else, but we’re not going to participate in it, you’re probably not going to be successful.

I think fortunately, with our clients, we are really seeing executive directors and leadership understand the risks that it presents to their organization. And so, they are in favor of it. I think communication does need to be multi-channel. You can’t just rely on email alone. And again, that’s why whenever we kick off our Security Awareness Training, it’s a meeting that we do. It’s part of a staff meeting. So, there’s an in-person element, there’s email follow-up. 

And then something that we do is whenever clients report phishing messages to us, from time to time, we want to report back and provide some feedback. So again, I think it needs to be a multi-channel approach, so that they’re not just hearing it one time once a year, but Security Awareness Training and Security Education needs to be something that is really infused to the organization on a regular basis just as part of the ongoing conversation that’s happening at your organization.

Carolyn Woodard: Yeah, I think sometimes when you get the employee handbook on the first day or two that you’re at your organization and then you never hear about it again, that’s not a good situation. You want to make sure that it’s ongoing. But then yeah, you do have to be careful about it becoming all the time.

And try to enlist your staff as part of your army. They’re protecting your organization and they care about it enough to work for your organization. So hopefully, they can take that to heart.

We have another question. 


Do you have any thoughts on Microsoft saying that pass keys are the future of authentication and they’re going to be eliminating passwords and two-factor authentication?

Matt Eshleman: Yeah, I think it’s great. I think Microsoft is doing it because they have the data that they can see, just how many account compromises are occurring. I think they’ve been exploited in that attacker in the middle methodology. I think they are working to provide more secure ways to provide access to information. 

I think as organizations can make that switch into passkeys, that combines a more physical connection to that authentication. In the attacker in the middle example, the problem is that authentication token can be moved. It works on this device, but then somebody halfway across the world can still use it to authenticate. Passkeys are tied to physical devices, and so in the same scenario in the attacker in the middle, if you would click on that, you had a passkey, that authentication is bound to the device that you are on, and it cannot be moved and used somewhere else. 

I think they’re doing a lot of innovation. They’re dragging some people kicking and screaming into that, but I do think it’s a good step to take, and it’s needed. We can see it from the data, even with MFA, there’s a lot of account compromises that are still occurring and that we can actually prevent through some of the improved technology controls. 

The next question is, 


Should we remove staff information from your website?

I would say it depends on your organization’s risk tolerance and the sector that you’re in. I think in general, bad guys are using it to know more about your organization. Threat actors are saying, oh, here’s the people on the board, here’s the executive leadership, here’s the accounts payable person. I’m going to use that information to create a compelling email to say, oh, the board member needs this access or here’s the invoice for these executive services for this person.

I think in general, publicly available information is used by threat actors for primarily financial schemes. 

I think the organizations that we have seen take the steps to remove personal information from websites have been those that are getting like those, like just vitriolic personal attacks. That’s more like targeted at those nonprofits specifically. Immigration is something that we’ve seen a lot, you know, refugee asylum, LGBTQIA. So those people are targeted more for those direct personal attacks, in addition to just the financial fraud stuff that just kind of occurs.

I think that’s something that organizations need to be aware of, and it’s probably a risk tolerance conversation that needs to happen.

Carolyn Woodard: Do you have more questions? Any other questions? No? All right. Well, in that case, Matt, I think we will finish up. I want to thank you so much for your time today. In person, we got to ask you our questions. And thank you everyone who joined us through Zoom. We really appreciate it. We love doing these monthly webinar series. I’m going to let you get back to your day. Thanks for staying over a minute or two with us if you were able to.

And I hope to see you next month for that webinar on Essential IT in Challenging Times. And so we’ll come back, and join us, and we’ll talk about how we’re all going to get through this together. Thank you again and have a great rest of your day.