Berkeley study finds 79% of Washington nonprofits hit by cyberattacks; many lack recovery plans

UC Berkeley’s Center for Long-Term Cybersecurity (CLTC) onstage in Seattle released a statewide survey showing that most Washington nonprofits have faced cyberattacks in recent years and many lack the plans and staff to respond. Shannon Pearson, a senior fellow at CLTC, said 79% of survey respondents reported experiencing at least one cyberattack in the last three years.

The report—part of the CyberCAN initiative—used a mixed-methods approach (a written survey of about 100 nonprofits and interviews with nonprofit and local government staff) to map nonprofit cybersecurity posture across Washington. CLTC found most responding organizations are small and local: about 61% have fewer than 20 full-time staff, and a third have fewer than five. Many deliver high-touch services (food banks, shelters, addiction services) that require holding sensitive personal information.

CLTC presenters gave four headline findings: cyberattacks are common and often consequential; nonprofits commonly collect highly sensitive personal data while under-adopting essential controls; nonprofits lack staffing and budget capacity for cybersecurity; and nonprofits delay or deprioritize cybersecurity until after an incident. "These attacks have real, material consequences," Pearson said, describing a vendor-payment fraud in which a nonprofit lost about $300,000 and recovered roughly $200,000 through insurance.

The study documented control gaps and preparedness shortfalls. While multifactor authentication (MFA) is broadly in use—CLTC reported MFA enabled in some capacity on common collaboration and storage tools at generally above 65%—roughly half of nonprofits lack incident response plans, nearly half lack business continuity plans, and about 40% lack cyber insurance. CLTC also reported that organizations collecting highly sensitive identifiers (including Social Security numbers and health or immigration information) were more likely to report incidents.

On staffing and budget, CLTC reported that 64% of nonprofits have no full-time IT or cybersecurity staff; the study cited an average of about 1.4–1.5 IT staff per organization and an approximate ratio of one IT staffer per 96 employees. For organizations with dedicated IT/cyber budgets, the average reported annual spend was $4,311. CLTC argued those levels are far below what is needed to sustain robust defenses and recovery.

To address the gap, CLTC’s top recommendation to nonprofits was data minimization—limit collection and retention of non‑mission‑critical sensitive data when possible. For local and state governments, CLTC recommended acting as connectors to pro bono volunteers and lowcost providers, convening a short-term working group on nonprofit cybersecurity, expanding eligibility of government-funded programs to include nonprofits, and offering shared services or centralized procurement to achieve bulk discounts and managed security services.

CLTC presenters cautioned that recommendations are their authored analysis of survey results and encouraged attendees to review CLTC’s methodology and full report for details. The report and materials were made publicly available on CLTC’s website at cltc.berkeley.edu.

What’s next: CLTC said it will continue outreach to funders and policymakers to encourage grant conditions and programs that reduce nonprofits’ exposure to sensitive-data obligations and expand nonprofit access to technical assistance.