2025 ConComms End of Year Report

By

Executive Summary

In 2025 our team delivered a comprehensive suite of digital‑security services to nonprofit partners across the United States. By combining hands‑on training, vulnerability assessments, full‑scale cybersecurity audits, policy‑framework development, on device forensic malware scanning, and secure intake software development, we helped these organizations raise their security posture, embed sustainable practices, and protect the communities they serve.

Key Outcomes

Metric2025 Result
Security‑Awareness Sessions & Phishing Simulations20 live trainings + phishing demos
Organizations Engaged7
Vulnerability Assessments Completed10
Full Cybersecurity Audits Delivered7
Digital‑Security Policies & Procedures Drafted5 customized frameworks
New Staff Trained in Device Scanning, Training & Ongoing Awareness2 new personnel trained
Device Scanning for Spyware and Malware2 organizations devices scanned and completed detailed remediation reports
Software Development and documentation for “first‑contact” communication bridge (CDR‑Link‑Metal)Published Gitlab project, detailed documentation, and active maintenance.
Overall ImpactPartner organizations reported a significant reduction in successful attacks and a major increase in documented remediation actions within three months of audit completion.

1. Security‑Awareness Training & Phishing Education

Scope – Delivered 20 tailored, organization‑specific live sessions or phishing simulations.

Approach

  • Contextualized Threat Modeling – Each session began with real‑world examples relevant to the nonprofit’s mission (e.g., donor‑data phishing).
  • Hands‑On Demo – Participants experienced a controlled attack,identified issues, and practiced safe reporting.
  • Habit‑Building Toolkit – Checklists, quick‑reference one‑pagers, and reusable playbooks.

2. Vulnerability Assessment Program

Engagement Model – 2–3 week intensive collaboration with key staff to embed a repeatable vulnerability‑management cycle.

Deliverables

  • Digital‑Security Checklist covering asset inventory, configuration baselines, and third‑party risk.
  • Final Audit Report (7‑12 pages) summarizing the security baseline and outlining actionable remediation steps.

Results

  • All seven partner NGOs now have documented remediation timelines.

3. Comprehensive Cybersecurity Audits

Engagement Model – 4–8 week deep dive with organizational leadership and IT/security staff.

Core Activities

  • Review of system configurations (email, cloud storage, endpoint protection).
  • Evaluation of access‑control policies, MFA adoption, and data‑loss‑prevention settings.
  • Interviews to map workflow‑specific risks (e.g., grant‑application portals).

Deliverables

  • Audit Report (12‑20 pages) presenting a holistic security snapshot and 15 critical recommendations (e.g., MFA rollout, encrypted backups).

Outcomes

  • Post‑audit, NGOs achieved MFA coverage for the majority of privileged accounts.
  • Identified and closed misconfigurations across the cohort.

4. Digital‑Security Policy & Procedure Development

Frameworks Leveraged – BSI, NIST SP 800‑53, ISO/IEC 27000 series.

Process

  1. Initial Compliance Review (3‑8 weeks) – Gap analysis against chosen frameworks.
  2. Stakeholder Workshops – Engaged executive officers, IT leads, and frontline staff to surface practical constraints.
  3. Draft Policy Suite – Included Acceptable‑Use, Travel, Incident‑Response, and Data‑Retention policies.
  4. Tool Demonstrations & Handouts – Provided ready‑to‑use templates, and resource links.

Deliverables

  • Five fully‑documented policy packages (average 7 pages each).
  • Implementation roadmap with milestones, responsible owners, and success metrics.

Impact

  • All participating NGOs now possess a formalized security governance structure.

5. Capacity Building – Training New Personnel

Focus – Equip emerging staff with practical forensic device‑scanning, Training, and awareness building skills.

Activities

  • Security Ops Bootcamp” covering:
    • Use of open‑source scanning tools
    • Interpreting scan results and prioritizing fixes.
    • Reporting procedures for suspected incidents.
  • Follow‑up mentorship (bi‑weekly check‑ins for two months).

Outcome

  • Two newly trained individuals now act as security champions

6. In‑Depth Malware & Spyware Forensic Scanning Collaboration

Partner Organizations – Two nonprofit tech‑advocacy groups (Org A and Org B) that manage large variety of staff laptops and phones.

Scope – Conducted full‑disk forensic static malware analyses to uncover persistent malware and spyware targeting activist communications.

Process and Outcomes– 4–5-week engagement where the ConComms Team performed forensic scans of critical work and personal devices. We detected and remediated signs of malware, spyware or default device settings facilitating organizational data loss and vulnerability. At the completion of the forensic scans we delivered a empowering action steps scan report to the designee tailored to the organizational needs and the maturity of their security posture with actionable recommendations to concretely reduce risk.

7. GitHub Maintenance & Secure First‑Contact Solution Deployment (CDR‑Link‑Metal)

Objective – Harden the open‑source repository ecosystem supporting a secure “first‑contact” communication bridge (CDR‑Link‑Metal) to compartmentalize messages and provide efficient uniform organizational response framework for first contacts with WhatsApp, Signal, and Twitter/X.

Key Activities

  1. Repository Hygiene
    • Conducted a comprehensive audit of all branches, tags, and pull‑request histories to eliminate dependence on big tech surveillance based tools.
  2. Installation & Training on CDR‑Link‑Metal
    • Created platform‑agnostic installer scripts that provision isolated Docker containers with minimal privileges.
  3. Documentation & Community Building
    • Produced a step‑by‑step deployment guide covering prerequisites, and step by step deployment.

8. Overall Impact & Lessons Learned

AreaInsight
Phishing ResilienceActive Demos and interrogatory learning modules cement behavior change.
Vulnerability ManagementEmbedding a short, repeatable workflow drives sustainability.
Policy AdoptionCo‑creation with staff yields higher buy‑in.
Staff EmpowermentTargeted, hands‑on training accelerates internal capacity.
Malware & Spyware DefenseDeep device forensics combined with rapid remediation pays immediate dividends.
Secure Messaging BridgeRobust supply‑chain security and clear documentation foster trust and adoption.

Key Takeaways for 2026

  1. Integrate Continuous Training – Quarterly learning modules keep awareness fresh.
  2. Expand Scope – Bring additional nonprofit sectors (e.g., environmental advocacy) into the program to amplify collective security hygiene.
  3. Invest in Supply‑Chain Hardening – Ongoing GitHub security automation prevents regression and builds community confidence.
  4. Maintain Threat‑Hunt Cadence – Regular malware‑scan cycles with partner organizations keep adversaries at bay.

Closing Note

Our 2025 effort demonstrates that focused, collaborative security initiatives can dramatically improve the resilience of mission‑driven nonprofits. By coupling education, rigorous assessments, policy scaffolding, deep malware forensics, and secure‑by‑design software practices, we’ve laid a foundation that these organizations can build upon for years to come.