This is an excerpt from “Building the Cybersecurity and Resilience of Canada’s Nonprofit Sector,” a report capturing the knowledge and insights of a Working Group convened by The Canadian Centre for Nonprofit Digital Resilience.
In nonprofit organizations, skillful use of technology combined with strong digital leadership can multiply impact. Nonprofits use technology to improve reach and accessibility, provide higher quality services, engage more effectively with donors and supporters, and achieve better outcomes from better data.
Technology adoption brings real benefits, but also risks. These are real risks that can hinder an organization’s ability to serve its community. They include operational, financial, legal, and reputational risks with devastating outcomes.
Nonprofits face many of the same cybersecurity threats as other Canadian organizations. Attacks from malicious actors take multiple forms, including ransomware attacks, phishing attacks, and data breaches. Other threats, including accidental or natural hazards (e.g., fires, floods), can put digital information and systems at risk.
Nonprofits often adopt systems, software, and automated processes without fully understanding the risks. And an organization’s ability to identify, assess and mitigate risks is often hindered by other constraints including time, expertise, and funding.
“A lot of nonprofit staff were working from home during COVID where they shared a computer with multiple family members. In this case, it's a huge risk from data perspective if that computer is not protected properly. The organization rarely has an internal IT team to do the work necessary to make sure data is entered and stored securely. So, the challenge is tech literacy and the capacity for nonprofits to understand how to protect systems and data.”
The following constraints limit a nonprofit’s ability to adopt effective cybersecurity controls and implement security requirements that keep their systems and data safe.
Awareness and Attention
Few nonprofits have data security and privacy on their radar as a basic operational requirement. Most nonprofits are lean and mission-focused and tend to lack a strong culture of digital awareness and security.
Many nonprofit organizations lack awareness of cyber risk. One working group participant noted, “Many don’t even know that they might be a victim.” Another shared, “it’s the literacy piece that’s foundational,” observing that many nonprofits do not have a comprehensive view of the data they collect and the accompanying risks. Many nonprofit leaders believe they are not big enough or rich enough to be targets for cyber threats, nor do they consider the cyber risks associated with accidental or natural events.
Furthermore, many nonprofits are unsure of their basic legal and compliance responsibilities. These regulatory requirements vary based on geography, data type, and activity being undertaken. It is incorrect to assume, however, that nonprofits are exempt from privacy laws. As these legislative requirements continue to increase, so too does compliance risk.
Even with awareness, cybersecurity may not make the organization’s priority list: one participant noted, “there’s a weird denial that we have a problem.” Other psychological barriers to acceptance may arise from pressures nonprofits are under, such as funding challenges.
“Technology is already a topic a lot of organizations are afraid of, so when we talk about security and compliance, it becomes too overwhelming for organizations to even think about when they have so many other fires to put out.”
Funding Restrictions
Nonprofits often face challenges investing in an effective cybersecurity program. Funders rarely fully appreciate cybersecurity as a standard program cost, so nonprofits frequently lack funding for even the most basic cybersecurity measures.
Traditional funders have demonstrated little interest in funding technology infrastructure and all that entails – including training and implementation. Some may invest in technology innovation, such as new functionality. Few, however, will fund a technology infrastructure overhaul, even if data protection and security are at risk.
This makes it difficult for nonprofits to acquire even basic cybersecurity products/services. And future planning is difficult when nonprofits are already burdened by legacy systems.
Nonprofits are also challenged to build internal capacity. Most do not have a CIO (chief information officer), many do not have even an internal IT resource, and it is very rare for a nonprofit to have a CISO (chief information security officer). Senior leaders, managers, and staff all play an important role in cybersecurity. This requires training, which needs to be funded.
In the absence of sustained, sufficient funding for cybersecurity, organizations leverage free software, donated hardware, volunteer IT support, and, when needed, consultant security services to fill the gap.
“Cybersecurity and IT expertise is needed at all levels of decision making - governance boards, executive teams, staff, volunteers, etc.”
Even if funding is available, there is another challenge: scale.
Scale
Smaller organizations – which comprise the majority of Canada’s nonprofits – are typically at a disadvantage relative to their larger peers, but nonprofits tend to struggle regardless of size.
Small nonprofits tend to have limited capacity and expertise to create custom policies and other interventions to ensure cybersecurity. Expanding operations without a strong cybersecurity foundation can be disastrous.
Larger organizations may be able to dedicate more resources to cybersecurity. They may have more skills, money, knowledge and support for safeguarding the organization. However, they too struggle, particularly if they have more complex data collection systems. And with more data and greater complexity, the risks increase.
“Smaller organizations often do not have the resources and critical mass to implement and manage the required controls to protect against information and cyber security risks. Anything we can do to help ensure those controls are understood, implemented, and managed will be essential.”
It is not only the size and scale of the organization that can present challenges. Despite the clear urgency to implement effective cybersecurity, nonprofits face timing constraints that impede their ability to sustain a cybersecurity program.
Download the full report here.
The effective use of technology combined with strong digital leadership and capacity can help nonprofits reach their clients and funders more easily. But nonprofits that want to make the digital leap find themselves with only limited and uncoordinated support. The Canadian Centre for Nonprofit Digital Resilience exists to bridge this gap.
Photo by Dan Nelson on Unsplash.
