Preventing Ransomware: What Nonprofits Need to Know

By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Preventing Ransomware: What Nonprofits Need to Know

Verizon’s 2022 Data Breach Investigation Report states that a whopping 35% of ransom incidents are the result of phishing. This percentage is unchanged over the past five years, illustrating that businesses and not-for-profit organizations are struggling to sufficiently educate their employees.

In our experience, most nonprofits today have information security policies, and it is a best practice to provide security awareness training to employees at the time of hire.

What else can you organization do to stay vigilant in preventing email security threats, including ransomware?

How employee training can prevent ransomware

We know that most ransomware incidents start with attacks aimed at end users, and best-in-class security tools cannot stop all attacks. Consequently, end users are a critical line of defense for attacks that penetrate perimeter defenses. As a result, it is important for nonprofit organizations to train their employees and volunteers to identify cyber threats and respond appropriately.

Cybersecurity training for your nonprofit team

To promote a behavior of cyber diligence/skepticism, your nonprofit needs to continually educate your team and volunteers that have access to the organization’s computers on the importance of being vigilant when opening emails, clicking on links, and entering password information.

As an additional security measure, your nonprofit should not have a one-size fit all training for staff. Security awareness training should be tailored to the specific employee’s job responsibilities. Certain employees such as IT employees might need more in-depth and frequent training because of their broader access levels. Additionally, your organization should perform periodic phishing campaigns to test employees’ ability to identify potential threats. Employees that fall for the phishing campaign should get additional security awareness training.

Since email is a primary vector for cyberattacks, including ransomware, your nonprofit can help employees ward off threat actors by implementing certain email protection controls, to include:

Attachment filtering

Email systems can be configured to block or allow files based on file extension. We recommend enabling the common attachment type filter in your organization’s email system to automatically quarantine messages that contain the specified attachment types. By adding this filter, your organization reduces its reliance on employee judgement in opening questionable email attachments.

In addition to the common attachment type filter, we recommend:

  • Blocking all file types that are not required for business purposes,
  • Blocking macro-enabled office documents including .docm, xlsm, and pptm, as these can be used to execute arbitrary code and download ransomware from the internet, and
  • Blocking all zip files. Password protected (encrypted) zip archives cannot be effectively scanned and are released to the recipient without warning. Encrypted zip files are often used to hide malware, including ransomware, from scanners.


Sandboxing is a type of security service that automatically and safely opens email attachments away from your organization’s network and computers. The service observes the behavior of the attachment in a safe environment to determine if it opens normally or exhibits behavior indicative of malware. If it does not open normally, the sandboxing service blocks the attachment. These services are critical because ransomware frequently evades traditional malware scanning techniques but is more easily identified when opened and its behavior observed. We recommend utilizing a sandboxing service to protect against unknown malware and viruses and provide zero-day protection to safeguard your emails.

Link Checking

Link checking services rewrite all links of inbound emails so that, when a user clicks a link, the user briefly passes through a security service where the destination URL is checked against a list of known malicious websites and scanned for malware. These services can prevent an employee who clicks on a malicious link from continuing to the malicious website thereby potentially preventing a ransomware download or falling for a phishing scam that could lead to ransomware or other cyber-attacks.


Email-based geo-blocking prevents inbound emails originating from geographies the user organization elects to block. This can help further prevent malware from reaching a user’s inbox. We recommend utilizing the “Anti-Spam inbound policy” and setting up the “International Spam – regions” setting.

Email Signing and Authentication

Domain-based Message Authentication, Reporting & Conformance (DMARC) uses a Domain Name System (DNS) entry to provide additional assurances around the authenticity of a sender that go beyond the benefits of Sender Policy Framework (SPF). We recommend implementing DMARC in the email DNS records. It is free to implement and is typically a straightforward process.

When making changes to your email environment, nonprofits should recognize that:

  • Most effective security layers will impact the end user
  • End users often advocate for technology choices which, if implemented, materially decrease the security of a network
  • New security requirements met with complaints and confrontation are likely to dis-incentivize IT security staff to continuously improve security
  • Despite extensive testing, there can be temporary ‘breakage’ when deploying new security tools and settings

To mitigate the above, we recommend extensive communication before, during, and after new security procedures, tools, and settings are deployed so users are aware of potential interruption and have a means to communicate issues they encounter.

Nonprofits that combine robust employee education practices paired with strong email protection controls can go a long way to preventing an employee or volunteer from clicking the wrong link or opening the wrong document that results in a ransom event and causes major headaches for all involved.

To assist nonprofits with assessing their ransomware risk, Keiter Technologies has developed a Ransomware Risk Assessment program that provides insights into the key areas of an organization’s cybersecurity that directly relate to ransomware. Contact your not-for-profit Opportunity Advisor to learn how we can help your organization mitigate cybersecurity risks.

Share this Insight:

About the Author

Scott M. McAuliffe

Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner

Scott leads the Firm’s Risk Advisory Services practice, which focuses on providing internal audits, cybersecurity and information technology consulting, Sarbanes-Oxley assistance and System and Organization Controls (SOC) Exams. Scott focuses on providing his clients with cost effective solutions to build strong, efficient internal control systems/practices that support their strategic objectives. In 2021, Scott achieved the Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) status in order to provide CMMC services to Department of Defense prime and subcontractors.

More Insights from Scott M. McAuliffe

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us