Cybersecurity essentials for nonprofits

In Canada, cybersecurity incidents are capturing more public attention – especially as they increase in severity and frequency.

A prevalent myth about nonprofit cybersecurity is that cyberattacks only happen to large organizations, however, this is not the case. Unfortunately, cybersecurity attacks have impacted institutions that are central to public trust and welfare, such as nonprofits. 

As long as the data is valuable to a nonprofit, that is sufficient rationale for an attack to be staged. Malicious attacks are also increasingly automated, enabling bots to quickly scan millions of sites for vulnerabilities to exploit.

The rise of remote work makes cybersecurity a critical consideration – according to a 2021 report from Statistics Canada, nearly half of all nonprofits identified remote work as one of the main reasons driving cybersecurity investments.

However, while remote work is one of the key drivers of cybersecurity investments, only about a quarter of community nonprofits in 2023 reported that they plan to take new or additional cybersecurity measures over the next year. In contrast, about a third of organizations indicated that it was unknown if they planned on taking new or additional cybersecurity measures.

It’s important to note that using free cybersecurity tools may not always be sufficient, as significant disruptions can occur without proper preparedness or protection. Beyond the direct costs of cybersecurity incidents, indirect costs can also be significant. Among organizations that reported a cybersecurity incident, 27% of nonprofits reported the prevention of use of resources, according to a 2021 Statistics Canada report. 

The nature of the many nonprofits that have digitized much of their processes means that several key functions relating to service delivery, fundraising, and communications may be inaccessible during cyber incidents. 

Additionally, 2021 Statistics Canada data found that 21% of nonprofits that have experienced a cybersecurity incident also report that additional time is required by employees as a result of cybersecurity incidents.

Basic cybersecurity actions

So, how do you get started with ensuring your organization is well-protected from a cybersecurity attack? Consider the following basic actions that your organization can take to build its cybersecurity resilience:

Use complex passwords and multi-factor authentication

Use a password manager

Update operating systems and applications automatically

Backup data

Install preventative security tools such as anti-virus software

Train employees on basic cyber security practices

Have an incident response plan ready (Template and example)

The list above is based on the Canadian Centre for Cyber Security’s Foundational cyber security actions for small organizations – baseline cybersecurity controls for small organizations (ITSAP 30.100). This document provides a list of basic cybersecurity actions that small and medium-sized organizations can take, beyond what is provided above. 

Risk assessment and standards

When it comes to longer-term cybersecurity planning for your organization, a basic cybersecurity risk assessment may be helpful. 

The first step is to review and complete the Cyber Security Risk Assessment Questionnaire found in Annex B of the following document: Baseline Cyber Security Controls for Small and Medium Organizations (CAN/CIOSC 104:2021). This questionnaire should be completed with the consultation of a cybersecurity management expert and can help identify potential risk areas for your organization.

The questionnaire is part of a standard published by the Digital Governance Council, and the Level 1 requirements that are outlined in Baseline Cyber Security Controls for Small and Medium Organizations are intended for organizations that are starting their cybersecurity journey. 

As your organization continues to grow in its capabilities and resourcing, you may explore further strengthening your cybersecurity through the adoption of Level 2 standards. As your organization matures, you might also consider additional standards and frameworks such as the NIST Cybersecurity Framework, CIS Critical Security Controls, SOC, ISO 27001, or other programs based on your unique organizational needs.

Website cybersecurity

Websites are an important part of a nonprofit organization’s online presence, as they are the first place that visitors will arrive when looking for information. 

The range of information contained on your nonprofit’s website may include information about services that are provided, volunteer and career opportunities, contact information, and how to donate.

The 2021 Canadian Survey of Cyber Security and Cybercrime indicates that digital adoption in the nonprofit sector is significant. In particular, 84% of organizations had a website, 82% had a social media presence, and 72% used cloud computing. All of these presences also need to be secured, as they are also valuable resources for the organization.

Below is a basic checklist of actions to consider regarding your nonprofit’s website, adapted from NTEN’s guide on website security for nonprofits.

Website security checklist

Website hosting

Automated backups

Uptime and resource monitoring

Automated software updates

Malware scanning

Security certificate enabled

Website security fundamentals

Password manager used to store login information

Multi-factor authentication enabled for website login

Domain name system (DNS)

Domain contact information is up to date

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records configured to ensure email authentication

Domain name status is locked at the registrar to prevent unauthorized changes

Preparation and prevention

Incident response plan in place

Cybersecurity incident response team identified

Organizational cybersecurity policy (Example template)

Cybersecurity training for staff

Strong website security offers a firm foundation for your organization and ensures that your organization’s staff can focus on mission-oriented activities.

Cybersecurity policy

A cybersecurity policy is helpful in documenting the steps and approaches that your organization may take to secure its digital resources. 

A cybersecurity policy will outline your organization’s assets and risks, as well as the preventative and reactive measures that can be taken. Visit the Sample Cybersecurity Policy page on HR Intervals for a model cybersecurity policy template, courtesy of IslamicFamily

The bigger picture

It’s important to keep in mind that cybersecurity is part of a bigger picture when it comes to digital adoption for nonprofits. Cybersecurity efforts must also be supported by robust technology practices and policies in order to ensure sustainability. 

Fortunately, there are already some helpful tools to assist in the broader journey of digital adoption for nonprofits, such as NTEN’s Tech Accelerate and the Charity Growth Academy by CanadaHelps. These platforms offer free assessment tools to evaluate technology adoption, practices, and policies along with providing resources and recommendations for improvement.

As the cybersecurity landscape continues to shift and evolve, the human resource function has an increasingly important role to play in ensuring that nonprofit organizations continue to adapt through ongoing education, training, and investments. Stay safe!

Was this article helpful?
0 out of 0 found this helpful