Ask most foundation leaders what “cybersecurity” means, and they’ll describe firewalls, phishing simulations, and password policies. They’re not wrong, but what they describe is a much smaller problem than the one we face.
Technology, however, is no longer just tools organizations use, it is embedded throughout the environment we operate in.
The way foundations communicate with grantees, the way nonprofits mobilize communities, the way staff coordinates work, the way donors decide where to give: all of it flows through digital systems that are contested, surveilled, and increasingly weaponized. The scope is increasingly broad and fraught with financial, reputational, and even physical risks.
By focusing just on cybersecurity, the philanthropic sector is operating with a dangerously narrow definition of risk. As technology reshapes how we communicate, fund, and organize, foundations and nonprofits need to retire the old mental model of cybersecurity as a technical IT problem and replace it with something more expansive: a comprehensive approach to managing complex, interconnected risks.
The philanthropic sector needs a new frame. “Digital risk” is a broader, more honest account of what it means to protect your organization, your people, and your mission in the world as it actually exists.
What Digital Risk Actually Looks Like
At our 2025 Technology Association of Grantmakers Global Conference in Atlanta, Sasha Cohen O’Connell, senior director of Cybersecurity Programs at Aspen Digital, told the audience that “Philanthropy is amongst the most targeted groups” by bad actors. But the threats targeting the sector don’t fit neatly into the IT department’s purview.
Disinformation campaigns can misrepresent a foundation’s funding decisions or poison a public advocacy effort before it launches. Doxing, the deliberate exposure of private personal information, has become used against organizational leaders, activists, and grantees, particularly those working on politically contested issues. “Staff can be targeted and conspiracy theories leveraged,” O’Connell said. A manipulated video, a coordinated harassment campaign, a spreadsheet of staff personal data posted to a public forum: these are digital threats with profound, real-world consequences, and none of them show up on a standard cybersecurity checklist.
This is what digital risk looks like for mission-driven organizations: not just unauthorized access, but narrative attacks, reputational damage, and the erosion of the trust that makes the work possible.
Resilience Requires the Whole Organization
The philanthropy sector has a habit of treating reputational risk as a communications problem and technical vulnerabilities as an IT problem. They are not mutually exclusive; they are interconnected. A hijacked social media account can amplify a disinformation campaign. A data breach can fuel a targeted harassment effort. Lisa Kaplan, founder and CEO of Alethea, made the point plainly at our recent conference: “We have been making security a tech issue, but teams need to work proactively together to get to resilience.”
Managing digital risk well means cross-functional conversations that bring together IT, communications, legal, and program staff. We need a cross-functional approach because the risks don’t stay in their lanes. Siloed responses are not enough to address the nature of risk in the current digital ecosystem.
The Threat Environment Doesn’t Stand Still
The old model of security assumed that with the right tools and trained staff, you could achieve a fixed, defensible state. That assumption is obsolete. The same AI tools that help nonprofits stretch their communications capacity are now being used to generate convincing impersonation content at scale. The threat environment is adaptive, and safeguards need to evolve in kind.
That means moving from compliance-oriented, check-the-box thinking to resilience-oriented thinking: can we detect, respond to, and recover from things we haven’t anticipated yet? While those check-box items are still important, we need to broaden our capacity to manage risks on an ongoing basis. This means building organizational cultures where staff can flag anomalies without fear, where protocols are reviewed regularly rather than once at onboarding, and where leadership treats digital risk as a strategic issue, not a back-office one.
The philanthropic sector has an enormous amount at stake in getting this right. Disinformation campaigns targeting social justice funders, doxing of reproductive health advocates, and coordinated harassment of nonprofit staff aren’t hypothetical scenarios. They’re happening now.
Cybersecurity is no longer enough. We need is a culture of digital resilience.
Jean Westrick is president and CEO of Technology Association of Grantmakers.
