This is Part 2 of an excerpt from “Building the Cybersecurity and Resilience of Canada’s Nonprofit Sector,” a report capturing the knowledge and insights of a Working Group convened by The Canadian Centre for Nonprofit Digital Resilience.
In nonprofit organizations, skillful use of technology combined with strong digital leadership can multiply impact. Nonprofits use technology to improve reach and accessibility, provide higher quality services, engage more effectively with donors and supporters, and achieve better outcomes from better data.
Technology adoption brings real benefits, but also risks. These are real risks that can hinder an organization’s ability to serve its community. They include operational, financial, legal, and reputational risks with devastating outcomes.
Nonprofits face many of the same cybersecurity threats as other Canadian organizations. Attacks from malicious actors take multiple forms, including ransomware attacks, phishing attacks, and data breaches. Other threats, including accidental or natural hazards (e.g., fires, floods), can put digital information and systems at risk.
Nonprofits often adopt systems, software, and automated processes without fully understanding the risks. And an organization’s ability to identify, assess and mitigate risks is often hindered by other constraints including time, expertise, and funding.
The following completes the list of constraints limit a nonprofit’s ability to adopt effective cybersecurity controls and implement security requirements that keep their systems and data safe.
Cyber risk is a challenge that must be continuously managed. One participant called it a “constant burning issue.” This demands vigilance and keeping one eye on the future.
Risks change as new applications and technologies are introduced, digital interconnections increase, and access types expand. For example, cybersecurity needs will grow with the increasing reliance on virtualized work environments, cloud computing, and artificial intelligence. The shift to remote work and growing reliance on mobile devices has introduced new risks.
Nonprofits’ planning and budgeting cycles impose a barrier to building and maintaining a cybersecurity program. Most nonprofits operate with a three to five-year business planning cycle and an annual budgeting process. Investments in their cybersecurity programs are often similarly constrained. Without sustained attention and funding, organizations leave themselves vulnerable to emerging threats.
Outdated Hardware and Software
The use of donated or low-cost/no-cost hardware and software solutions can also increase cybersecurity risk. Second-hand devices sometimes contain viruses, malware, or the previous owners’ data.
Hardware, software and operating systems may be used well beyond their end-of-support date. This opens the organization up to a host of issues, as the manufacturer no longer provides security upgrades to protect from new risks. This is called technical debt. It accrues over time and amplifies an organization’s risk.
“The nonprofit that is working from the position of ‘beggars can’t be choosers’ is under tremendous risks simply due to the legacy systems that they are using.”
A related concern is the improper disposal of technology. Many organizations do not safely decommission their technology and sell, donate, or dispose of materials without realizing they contain sensitive data.
Awareness and attention, funding restrictions, scale, time horizon and outdated systems are key challenges faced by nonprofits. Several other issues are also important to consider.
Federations and associations: Several participants noted the specific challenge of operating in a federation or association context. “It’s difficult to figure out, establish, and maintain the boundaries” and determine what should be accomplished centrally versus managed locally. There is additional complexity related to responsibility for, and prescriptive powers over, shared systems and the data they manage. Questions about who owns, manages, and is liable for each part of a technology ecosystem can hamper the implementation of robust cybersecurity measures. Failure to properly address these questions can leave unaddressed risk and liability to spread, uncontrolled, across federated or associated organizations. This risk is particularly acute where nonprofits are working with vulnerable populations and their data.
Funder requirements: Nonprofits are often mandated to collect certain information to meet their funding obligations. They may even be mandated to use a particular system to collect the data. This significantly constrains their flexibility and increases risk (especially if cybersecurity funding is not provided). It also raises the question of liability for a breach: when the funder demands that the organization collect certain data or use a particular system, who then is responsible for the protection of that data and system? This introduces additional risk.
Rights and values: The implementation of some cybersecurity measures may engage employee privacy rights. The nonprofit sector is particularly protective of employee privacy rights, and some organizations have advocated for stronger employee privacy and digital rights protection. The deployment of cybersecurity solutions must achieve a balance, weighing risk and reward.
Connectivity: Limited access to the internet, especially in rural areas, can push cybersecurity even further down the priority list. Rural locations may also have limited access to cybersecurity resources and expertise, increasing the potential likelihood and severity of a cybersecurity incident.
Download the full report here.
The effective use of technology combined with strong digital leadership and capacity can help nonprofits reach their clients and funders more easily. But nonprofits that want to make the digital leap find themselves with only limited and uncoordinated support. The Canadian Centre for Nonprofit Digital Resilience exists to bridge this gap.