Microsoft announces security programs for nonprofits as nation-state attacks increase

The Security Program for Nonprofits will offer nonprofits free security assessments, training and access to Microsoft security tools.
Written by Jonathan Greig, Contributor

Microsoft unveiled a new suite of tools on Thursday built to protect nonprofits as threats against philanthropic organizations globally have skyrocketed, particularly from nation-states. 

The Microsoft Security Program for Nonprofits has three different components, including free access to the AccountGuard program, free security assessments and free training pathways for IT administrators and end-users.

Justin Spelhaug, vice president of Microsoft Tech for Social Impact, and Flora Muglia, business strategy manager for Microsoft Tech for Social Impact, told ZDNet that the company's goal is to sign up 10,000 nonprofit organizations in the next year and 50,000 organizations over the next three years.

Spelhaug said the company was interested in creating the program because nonprofits have become the second most targeted industry by nation-state attacks.

"31% of all nation-state notifications that we send out to organizations go to nonprofits. These are organizations that are human rights organizations, think-tanks, organizations with sensitive information that nation-states want to get their hands on," Spelhaug said.

"Cybersecurity threats are on the rise, and most nonprofit organizations do not have the same advanced network security protocols or resources or security models that a well-funded private corporation might have. 70% of nonprofit organizations haven't conducted a vulnerability assessment, 80%, based on our research, don't have a cybersecurity strategy in place. And that just makes cybersecurity threats more of a reality each and every day. The attacks are becoming more sophisticated."

He specifically mentioned Microsoft's warning in May that Russian-backed group Nobelium was conducting a wide-ranging phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform Constant Contact. 

The attack targeted roughly 3,000 accounts at more than 150 organizations. At least a quarter of those involved work in international development, human rights and humanitarian work. 

"The sector is at a critical junction because we've all gone digital. The pandemic has made us all go even more digital, and threat vectors are increasing. Unfortunately, nonprofits are being targeted, and we need to do something about it. And that's why we built this program," Spelhaug said. 

Data from Microsoft shows that NGOs received 23% of all notifications from 2018 to 2021. These organizations are typically considered attractive targets for nation-state actors because they carry information about political views and loyalty to parties or individual political candidates. 

In a recent survey, 21% of North American foundations reported a security breach in the preceding two years, with ransomware attacks as the largest single cause (38%), Microsoft said, adding that the average cost of a security incident in the nonprofit sector is $77,000, with the current average cost of a data breach overall being $4.24 million, 10% higher than the average cost in 2019. 

Muglia said the program will also help organizations that need to comply with certain rules for cybersecurity insurance and assist in finding where their gaps might be. 

Muglia explained that the free security assessments will help organizations better understand their risk profiles, their vulnerabilities in their existing endpoints, identity access, infrastructure, network, and data with the objective of "supporting and prioritizing an immediate action and remediation plan to better protect their environment from any imminent risk with support from its partner ecosystem."

The AccountGuard tool identifies when an Office 365 organizational domains or Outlook and Hotmail personal domains are targeted or compromised by nation-state actors, letting organizations know before it's too late. 

"Microsoft has cultivated training pathways to streamline the top-recommended training for nonprofits, regardless of role. Employees from any background will be able to learn the latest strategies to protect themselves from online scams and attacks and work from home more securely," Spelhaug noted. 

Muglia added that ahead of the announcement on Thursday, a few hundred organizations signed up for the AccountGuard part of the program when it went live in many organizations' Microsoft portals on September 26. 

"Most nonprofit organizations do not have large IT teams. They do not have in-depth security specialists, and they do not have consulting firms guiding their every action to protect their data and they often are federated, meaning they have disparate IT systems and different environments under the same organization," Spelhaug said. 

"There's a lot of work to be done in this industry. Every online NGO has donors, funders and beneficiaries. They have important information to protect, and our technology and the offers that we're providing scale down to small organizations."

As an example, Spelhaug shared the story of the International Rescue Committee groups working in Afghanistan. He said they are one of the few organizations that stayed behind to help with the humanitarian situation caused by government change. 

As an organization working with dozens of different ethnic groups and vulnerable populations, they needed to protect their data. 

"It was critical for the IRC to get the right information security technology in place to protect the data of their staff members so that it did not fall into Taliban hands and be used for purposes of persecution, effectively allowing them to identify different ethnic and religious groups to do bad things," Spelhaug said. 

"We mobilized immediately, and we've deployed our endpoint protection capabilities as well as some advanced security capabilities with IRC in an effort to protect the staff. But just as importantly, to protect the beneficiaries, they serve in Afghanistan."

Editorial standards