The Data Gap: Why Nonprofit Cyber Incidents Go Underreported

It's almost impossible to know how big the cyber threats are against nonprofits because there aren't many reliable ways to keep track of them This article explores cybersecurity incidents nonprofits. . Nonprofits don't have to report breaches as often as businesses in heavily regulated fields like healthcare or finance.

The end result is a broken picture that hides the real threat these groups face. It also makes it harder for them to get more help and resources. We need more information Abnormal Security said in March 2025 that advanced email attacks on nonprofits had gone up by 35% from the year before. The email security company also found that phishing attacks on nonprofits rose by 50% during the same time period.

The "Nonprofits At Work 2025" report from Okta told a similar story: nonprofits were the "second-most targeted industry" in the IAM vendor's customer ecosystem. Cyberattackers are related. Don't Care About Good Things Kelley Misata, Ph.D., CEO and founder of Sightline Security, which helps nonprofits improve security by giving them tools and training, says that even though there are some nonprofit statistics, it's hard to find complete data.

She says that cybersecurity incidents against nonprofits are "significantly underreported" because of a number of reasons. For example, they often show up in the data as collateral damage from attacks on other organizations instead of as direct targets. Misata tells ZeroOwl, "The short version is that the data is there, but it's not all in one place, it's not always nonprofit-specific, and that's not a gap that only we have."

Experts say that one way to help nonprofits deal with cybersecurity issues is to throw money at them. That kind of help is nice, but nonprofits need more. They need to be educated, trained, given time, and treated like a business, especially now that the economy is uncertain, insiders say.

Security experts agree that waiting for perfect data isn't an option, even though these measurements are hard to make. Now is the time for nonprofits to get help. For their suggestions, read "Cyberattackers Don't Care About Good Causes."