Under the Radar, Under Attack: How Illinois Non-Profits Are the New Target for Cyber Threats

When we think of cybersecurity breaches, massive corporations and government agencies usually come to mind. But in recent years, a quieter crisis has been building: non-profit organizations, especially those across Illinois, are becoming increasingly attractive targets for cyber criminals. With lean budgets, limited IT staff, and valuable data, non-profits are seen as low-hanging fruit by attackers. And the most common tactic used to break through their defenses? Phishing.

The Overlooked Vulnerability of Non-Profits

Non-profit organizations operate with a different mindset from corporations. Their focus is on mission-driven work, often with limited resources and staff wearing multiple hats. While that ethos is admirable, it leaves gaps in operations that cyber criminals are eager to exploit. Many of these attacks target small to mid-sized organizations.

These attacks aren’t just annoying spam emails. Many are highly targeted and sophisticated, designed to look like messages from donors, grant administrators, or even internal leadership. The goal? To trick recipients into clicking malicious links, entering passwords on fake login pages, or transferring funds.

Sobering Examples: Breaches in Illinois Non-Profits

In August 2023, Hospital Sisters Health System (HSHS), a non-profit healthcare network headquartered in Springfield, Illinois, reported a major cyberattack. Over 882,000 patients were notified that their personal and health information had been exposed. The breach affected systems across multiple facilities and highlighted the growing risk facing non-profits that handle sensitive data.

According to public disclosures, compromised information included names, addresses, medical histories, and insurance details. The attack underscored the importance of both proactive protection and incident response planning—especially for organizations entrusted with the well-being of vulnerable populations.

According to the Chicago Tribune, more recently, in May 2024, University of Chicago Medicine, a not-for-profit academic medical health system, disclosed that it may have exposed the personal information of approximately 10,300 individuals through an email-related incident. The exposure occurred due to unauthorized access to employee email accounts, once again illustrating the devastating consequences of phishing and email-based attacks.

These incidents show that even well-resourced non-profits are not immune. If organizations like HSHS and University of Chicago Medicine can fall victim to cybercrime, smaller organizations must be especially vigilant.

Why Non-Profits in Illinois Are Especially at Risk

Illinois is home to thousands of non-profit organizations, from grassroots community groups to large philanthropic and healthcare institutions. The state’s rich ecosystem of charitable work also makes it an appealing target landscape for cyber attackers.

Several factors contribute to this vulnerability:

• Outdated Systems:
  Many organizations rely on legacy software and older hardware. These systems often lack the latest security updates or compatibility with modern protective tools.
• Mixed Device Use:
  Staff may use personal devices for work, especially in smaller orgs with hybrid or remote work structures. This blurs the line between personal and organizational security protocols.
• Limited IT Resources:
  Few non-profits have dedicated cybersecurity personnel. IT tasks often fall to generalists or outsourced providers who may not specialize in threat prevention.
• Lack of Training:
  Staff often aren’t trained to recognize phishing attempts, and awareness campaigns are rarely built into onboarding or ongoing education.
• High-Value Data:
  Non-profits handle sensitive information—donor financials, client data, medical histories, and more. This data can be sold or used in future attacks.

The Most Common Threats Facing Non-Profits

While phishing remains the most prevalent threat, it’s not the only tactic in a cyber criminal’s playbook. Other attacks include:

• Ransomware:
  Attackers lock access to systems and demand payment to restore data.
• Business Email Compromise (BEC):
  Impersonation of executives to request sensitive data or payments.
• Credential Stuffing:
  Using leaked usernames and passwords from previous breaches to access accounts.
• Malvertising:
  Embedding malware in fake online ads, often clicked on by users searching for tools or resources.

Each of these can begin with a phishing email. That’s why preventing these emails from getting through—and training staff not to engage with them—is critical.

5 Cybersecurity Fixes Non-Profits Can Implement Today

You don’t need a six-figure security budget to protect your organization. Here are five realistic, high-impact steps any Illinois non-profit can take right now:

1. Enable Multi-Factor Authentication (MFA):
   This is the single most effective way to protect email, CRM, and cloud accounts. MFA ensures that even if a password is compromised, a second verification is required.
2. Launch a Phishing Awareness Program:
   Quarterly 60-minute training sessions can dramatically improve awareness. Use real-world examples, not just generic slides. Services like KnowBe4 offer free or low-cost simulated phishing campaigns.
3. Backup Data Frequently:
   Use cloud-based backups that are encrypted and not connected to the main system. Test recovery processes monthly.
4. Use Free or Low-Cost Tools: Microsoft Defender, Cloudflare’s DNS filtering, and Google Advanced Protection offer strong security features at little to no cost.
5. Develop an Incident Response Plan:
   Have a clear, step-by-step document outlining who to contact, how to isolate infected systems, and how to notify stakeholders.

Local Resources for Cybersecurity Help

Illinois non-profits don’t have to go it alone. Reintivity, a Managed IT Services and Consulting firm based in the region, helps non-profits navigate the complex world of cybersecurity with tailored solutions that meet budget constraints. From strategic consulting to hands-on implementation, Reintivity offers:

• Cybersecurity risk assessments
• System hardening and patch management
• Ongoing monitoring and response
• Employee training and phishing simulations

Reintivity understands the unique challenges facing non-profits and provides scalable services that grow with your organization’s needs.

Build Cyber Resilience, Not Fear

Cybersecurity doesn’t have to be a scary or overwhelming topic. In fact, building a culture of cyber awareness can empower your team and strengthen your mission. Non-profits are doing important work in Illinois communities, often picking up where government programs leave off. Protecting that work means protecting your digital presence.

Start small. Update your systems. Talk to your staff. Ask your IT provider about phishing protections. Set aside a few hours each quarter to evaluate risk and plan ahead.

The threats are real, but so are the tools to fight them. With awareness, action, and a little outside help, Illinois non-profits can continue serving their communities—without serving up an easy win to cyber criminals.