2025 State of Humanitarian and Development Cybersecurity Report: Continued progress, but more is needed to keep pace with rapidly evolving threats
NetHope (2025), 37 pp.
Contains graphs
"This report reveals a notable rise in perceived cybersecurity risk within the nonprofit sector, with 70% of organizations reporting an increased cyber risk profile in 2025, up from 51% in 2024. Encouragingly, confidence in managing these risks has also improved, with 56% of organizations feeling confident in their cybersecurity posture, up from 45% in the previous year. The cyber threat landscape has become more diverse and frequent. Credential-based attacks – particularly phishing – have surged, affecting 94% of organizations, while financial fraud impacted 45%. Additionally, insider threats and emerging risks such as mercenary spyware have also surfaced. This multifaceted threat landscape underscores the need for layered defense strategies and a strong culture of cyber resilience.
Attribution capabilities remain limited. Over three quarters (77%) of global nonprofits are unable to attribute attacks to specific threat actors. Among those who can, common adversaries include hacktivists, government-linked entities, and criminal networks. Improving attribution through shared training, intelligence sharing, and collaborative frameworks is critical. In 2025, over half of respondents (53%) reported experiencing a security breach or other critical data incidents. This is a decline from 65% in 2024. In addition, the percentage of organizations reporting no such incidents rose to 40% in 2025, up from 29% in the previous year. While these trends indicate progress in cybersecurity resilience, the broader risk environment remains a serious concern." (Conclusions, page 6)
Attribution capabilities remain limited. Over three quarters (77%) of global nonprofits are unable to attribute attacks to specific threat actors. Among those who can, common adversaries include hacktivists, government-linked entities, and criminal networks. Improving attribution through shared training, intelligence sharing, and collaborative frameworks is critical. In 2025, over half of respondents (53%) reported experiencing a security breach or other critical data incidents. This is a decline from 65% in 2024. In addition, the percentage of organizations reporting no such incidents rose to 40% in 2025, up from 29% in the previous year. While these trends indicate progress in cybersecurity resilience, the broader risk environment remains a serious concern." (Conclusions, page 6)
"This 2025 State of Humanitarian and Development Cybersecurity Report identifies key cybersecurity threats, trends, and capacity gaps affecting the nonprofit sector. Drawing on survey data from 30 global nonprofit Member organizations, the report provides a sector-wide view of prevailing challenges and emerging best practices in cybersecurity. This marks the fourth State of Cybersecurity report developed by NetHope’s Digital Protection team, the NetHope Center for the Digital Nonprofit, and the NetHope Global Humanitarian ISAC, following the 2024 and 2023 releases (the 2022 release was not publicly shared). The findings support evidence-based decision-making for Member organizations and the broader nonprofit ecosystem, informing strategic priorities, guiding investments, and shaping advocacy efforts. Moreover, they guide the programming of NetHope’s Digital Protection Program and the NetHope Global Humanitarian ISAC, to make nonprofits more resilient against cyber threats from nation state and other hostile actors, offering training opportunities, grants, a virtual Chief Information Security Officer (vCISO) service, and peer support, to address capacity gaps and drive systemic improvements." (Page 5)
High-Level Conclusions -- Key Takeaways and Recommendations -- Results and Discussions -- Staffing -- Responsibility and Governance -- Budgeting -- Cybersecurity Frameworks -- Threat Detection and Response Tools -- Account Protection and Multi-Factor Authentication -- Asset and User Account Management -- Cyber Insurance -- AI Solutions for Cybersecurity -- Conclusions and Next Steps
