UC Berkeley, WaTech to survey Washington state nonprofits on cybersecurity
The State of Washington and the University of California, Berkeley’s Center for Long-Term Cybersecurity on Wednesday announced a partnership designed to help municipal governments better understand the cybersecurity challenges faced by their nonprofits.
Part of UC Berkeley’s Cybersecurity for Cities and Nonprofits, the initiative is funded by a $500,000 grant from the IT services firm Okta. It plans by the end of the year to identify opportunities for Washington Technology Solutions, the state government’s technology department, to help improve the cybersecurity resilience of nonprofits.
“The real benefit of this partnership is the focus on people who get vital services in Washington — no matter where those services come from — government, or non-profits,” Bill Kehoe, Washington’s chief information officer, wrote StateScoop in an emailed statement. “By protecting non-profit organizations from cyberattacks, we’re working to ensure people get the best from their state or local governments.”
Starting in July, researchers plan to begin conducting interviews and surveying 500 nonprofits across Washington. The survey, which is designed to measure organizations’ cybersecurity maturity and data-collection practices, is an expansion of a similar project UC Berkeley conducted in San Francisco last year.
Sarah Powazek, the program’s director, said the partnership aims to enhance cybersecurity for nonprofits, which, she says, are often overlooked as critical infrastructure.
“We think a lot about small businesses, nonprofits, local governments, utilities, the types of organizations that, by themselves, might not meet the threshold of a national security threat, but very much weave together the thread of public life at the local and community level,” Powazek said. “So how do we use cybersecurity as a means of making sure those services are always available?”
Powazek said nonprofits often act as supplementary providers of critical social services, such as food banks, child care and legal assistance. They also sometimes hold sensitive data like Social Security numbers and banking and medical information.
“It frankly aligns well with digital equity goals at the state level to say: ‘We are going to take responsibility for all the services that our state residents rely on, regardless of whether or not they have the finances to pay for it,'” she said. “These are services without which many residents would face hardship almost immediately, so they are institutions that we need to consider critical within the state.”
The initiative’s 2024 pilot survey in San Francisco revealed that 53% of city’s nonprofits have no full-time IT staff and 84% face frequent cyberattacks, largely phishing campaigns and business email compromises. The group looked at 68 nonprofits in that survey.
“We found that of the nonprofits that we surveyed, the average ratio of full time IT staff was like 1:96, so a lot of that responsibility is falling upon one person,” said Shannon Pierson, a senior fellow on UC Berkeley’s cyber team.
Pierson said a combination of chronic understaffing and the sensitive information they hold make nonprofits and the residents they serve easy targets for cybercriminals. She said they’re vulnerable to scams like tax fraud and identity theft.
“They’re highly targeted and kind of like low-hanging fruit, but they don’t often know how to bulk up their cybersecurity,” she said. “It’s not something that they always think about until an incident happens.”
Pierson said the initiative also aims to connect nonprofits with cybersecurity resources and support — such as vendors, training programs and IT professionals — aligning with Washington’s whole-of-state cybersecurity model.
“We’ve adapted our methodology and kind of scaling this up to more nonprofits so that we can better understand the gaps,” Pierson said. “Like how state government can to intervene to help close them in ways that make the most sense for the government, as well as nonprofits.”
