Civil society organizations are now on the front line of cybersecurity risk. Nonprofits, digital rights groups, independent media, humanitarian organizations, advocacy groups, and community-focused institutions increasingly depend on websites, email, cloud platforms, and online collaboration tools to deliver their missions. But many of these organizations operate with limited budgets, small teams, and little or no dedicated cybersecurity support.
Cloudflare’s 2026 report on cyberattacks against civil society shows how serious this challenge has become. The report, based on data from organizations protected under Project Galileo, found that civil society groups face frequent and intense cyber threats, including DDoS attacks, exploitation of website vulnerabilities, phishing campaigns, and Internet shutdowns.
Through Project Galileo, Cloudflare provides free cybersecurity services to organizations supporting the arts, human rights, journalism, and democracy. Cloudflare provides free cybersecurity services to more than 3,400 domains belonging to organizations in 120 countries through Project Galileo.
For nonprofits, the question is not whether they are “too small” to be targeted. The question is whether they are prepared enough to keep serving their communities when attacks happen.
Key Findings
Distributed-denial-of-service (DDoS) attacks were the most common cyber threat against civil society organizations protected under Project Galileo, accounting for 81.7% of all malicious traffic.
Their defining feature was duration. While most DDoS attacks Cloudflare mitigated for its customers were over within minutes, nearly every one of the largest attacks against civil society lasted longer, with some spanning into days and weeks. The Iraq-based digital rights organization Tech4Peace experienced an eight-day long DDoS attack that featured 2.6 billion malicious traffic requests.
More than 10% of all traffic to human rights organizations was classified as a part of a DDoS attack. This was the largest share of any group of participants, and roughly 40 times more than social welfare organizations. Media groups were widely targeted, with more than one in eight facing malicious DDoS traffic during the reporting period.
Civil society organizations faced attempts to exploit website vulnerabilities at a rate more than seven times higher than other Cloudflare customers. Website vulnerabilities are a type of cyber attack that targets flaws in outdated or unpatched systems, that allow threat actors to extract sensitive data or access internal systems.
On average, Cloudflare blocked a malicious request probing a media organization every seven seconds.
In general, civil society organizations faced attempts to exploit security vulnerabilities in websites at a rate more than seven times higher than other Cloudflare customers. Media organizations, including journalists, were the most frequently targeted, receiving 40.5% of attacks, despite making up only 22.7% of the underlying population.
Journalists operating in exile faced a rate of malicious traffic that was nearly four times higher than journalism organizations overall.
Attacks were concentrated against a few targets. In December 2025, elTOQUE, a Cuban media outlet operating in exile, faced a DDoS attack that the organization believes was an intentional effort to limit access to a tracker comparing the Cuban peso with foreign currencies.
Nearly 10 percent of all emails Cloudflare processed for civil society included potential phishing material.
Compared to other Cloudflare customers, civil society faced a higher concentration of malicious emails intended to gain unauthorized access. Traditional authentication protocols alone left civil society organizations exposed. Nearly one in three emails that contained malicious content bypassed standard authentication methods but were identified by more sophisticated phishing detection tools provided by Cloudflare.
The top five most frequently impersonated brands were, in descending order, Apple, Docusign, Datadog, American Express, and Intuit.
Cloudflare identified 183 Internet disruptions across its global network, 85 of which public reporting has attributed to government action.
The restrictions coincided with periods of elections, protests, and student exams. In countries like Iran and Uganda, civil society organizations reported that shutdowns disrupted their ability to reach affected communities, document abuses, and share independent information
During the reporting period, 183 Internet disruptions were identified, 85 of which appeared to be government-directed based on public reporting. These intentional shutdowns occurred during student exam periods, protests, elections, and armed conflict. Such restrictions limit the ability of civil society and media to disseminate independent information, provide public services, communicate with communities at home and abroad, and mobilize for change. Organizations like the Internet Society have also sought to estimate the significant economic cost of shutdowns.
The report demonstrates that across numerous threat types— DDoS attacks, website vulnerabilities, and email phishing—civil society organizations were targeted more frequently, and often more intensely, than other Internet users.
Cybersecurity is mission protection for Nonprofits
At Reputiva, we believe nonprofit cybersecurity should be understood as mission protection. A cyberattack against a nonprofit is not just an IT problem. It can interrupt services, block access to public-interest information, expose sensitive data, disrupt fundraising, damage trust, or silence important community voices.
Cloudflare’s report reinforces something every nonprofit leader should take seriously: civil society organizations are often targeted because of the work they do and because of the moments when that work matters most. Attacks may coincide with public advocacy, elections, reporting, digital rights work, humanitarian activity, or community mobilization.
This is especially important for smaller nonprofits and community organizations. Many do not have enterprise security teams, but they still rely on enterprise-like digital infrastructure: websites, email, cloud storage, donation platforms, online forms, and social media accounts.
A practical nonprofit cybersecurity baseline should include:
- DDoS and website protection
- Web application firewall coverage
- Multi-factor authentication
- Strong password management
- Secure domain and DNS management
- Email security and phishing protection
- Regular software and plugin updates
- Cloud storage access reviews
- Backup and recovery planning
- Simple incident response procedures
- Cybersecurity awareness training for staff and volunteers
The goal is not to make every nonprofit operate like a large bank. The goal is to reduce the most likely and most damaging risks first. Cybersecurity should not be treated as a luxury for nonprofits. It should be treated as a basic requirement for digital trust, resilience, and public service.
Need help strengthening your Nonprofit’s Cybersecurity?
If your nonprofit, charity, community organization, or mission-driven team depends on a website, email, cloud tools, online donations, or digital communications, now is the time to review your cybersecurity posture.
Reputiva helps organizations understand their current risks, identify practical next steps, and build a stronger foundation for secure digital operations.
Book a cybersecurity readiness consultation with Reputiva to assess your website, email, cloud tools, account security, and incident preparedness.
Protect your mission. Protect your people. Protect the trust your community has placed in you.
