Most Canadian not-for-profit organizations struggle to have a cybersecurity strategy, but a just-released report details what their objectives should be.
They are contained in a 14-page report on the state of cybersecurity in the sector issued by the Canadian Centre for Nonprofit Digital Resilience. It also includes a plan to help them tighten — or in many cases start — their efforts. And it outlines several pilot projects to help nonprofits take their first steps to protect their data.
Cybersecurity “is a problem that cries out for a sector-wide solution,” centre executive director Katie Gibson said in an interview. But that solution, she added, has to be tailored specifically for financially-tight non-profits.
There are an estimated 170,000 not-for-profits in Canada — 80,000 of which are registered charities — ranging from one or two-person operations to major hospitals. Depending on their mission, they may collect a tremendous amount of personal or medical information about their clients.
Toronto’s Hospital for Sick Children, Scouts Canada and the Salvation Army’s Ottawa branch are among the bigger ones that have suffered recent attacks.
Very few Canadian non-profits are cyber mature, Gibson said. Many are in what she called “ostrich mode,” believing their organization won’t be in the cross-hairs of attackers.
The report, “Building the Cybersecurity and Resilience of Canada’s NonProfit Sector,” backs that up. “Few non-profits have data security and privacy on their radar as a basic operational requirement,” the report says. “Most non-profits are lean and mission-focused and tend to lack a strong culture of digital awareness and security. Many non-profit leaders believe they are not big enough or rich enough to be targets for cyber threats, nor do they consider the cyber risks associated with accidental or natural events.”
Those funding non-profits rarely fully appreciate cybersecurity as a standard program cost, the report adds, so non-profits frequently lack funding for even the most basic cybersecurity measures. Most don’t have a CIO, many do not have even an internal IT resource, and it is very rare for a nonprofit to have a CISO, the report also says.
The report came out of a working group that included representatives from large and
small nonprofits, nonprofit capacity-builders, nonprofit funders, policymakers, academics,
cybersecurity experts, and cybersecurity vendors.
The paper doesn’t include a how-to list, although it does include links to free resources that non-profits can take advantage of, including those from the Canadian Centre for Cyber Security, the Digital Governance Council’s Baseline Cyber Security Controls for Small and Medium Organizations, NTEN’s cybersecurity bundle of courses for nonprofit staff, and the cybersecurity resource compilation by the U.S. National Council of Nonprofits in the United States.
“Many cybersecurity resources available today do not require significant investment, and many good cybersecurity practices can be adopted at low-cost, the report adds.
What it does set out are five objectives non-profits should have:
— nonprofit boards, executives, and staff should understand their risks and obligations and prioritize cybersecurity;
— they should have an easy on-ramp to cybersecurity, beginning with a relevant risk assessment that prioritizes preventive, focused action at different maturity levels;
— they should have access to a standard against which they can compare themselves and that is accepted by funders;
— they should have funding to implement required cybersecurity practices;
— and they should have access to a marketplace of vendors providing quality, cost-effective solutions.
To help organizations realize these objectives, the report’s working group will develop and test several prototypes. These include what it calls a “cybersecurity on-ramp” in the immigration and refugee settlement sector, which includes a risk assessment process. Initially, non-profits will help with this prototype, which will then be scaled to other sectors.
A model cybersecurity policy for social services is also being created. It will be done in partnership with Islamic Family and Social Services Association, with the goal of being adopted by other social service organizations.
No deadlines have been set for delivering the on-ramp prototype or the cybersecurity policy.
Launched 12 months ago, the Canadian Centre for Nonprofit Digital Resilience was founded by the Digital Governance Council (formerly the CIO Strategy Council), the Tamarack Institute, NTEN, Social Economy Through Social Inclusion (SETSI), and Imagine Canada.
In the interview, Gibson said governments could help non-profits by giving financial help with improving their IT and cybersecurity capacity, noting that not-for-profits often help governments by delivering services.
The tech sector can also help by understanding the needs of non-profits, she added. IT companies can also help volunteer for the centre’s projects.
Technology groups associated with the centre include Cisco Systems, the Canadian Internet Registry Authority (CIRA), Amazon, PayPal, Sage Group, BoundState Software, and Toronto Metropolitan University’s Rogers Cybersecure Catalyst.