Most Canadian non-profit organizations struggle to have a cybersecurity strategy, but a recently released report outlines what their objectives should be.
They are included in a 14-page report on the state of cyber security in the region released by Canadian Center for Non-Profit Digital Resilience, It also includes a plan to help them tighten – or in many cases start – their efforts. And it outlines several pilot projects to help nonprofits take the first steps toward protecting their data.
“Cybersecurity” is a problem that cries out for a sector-wide solution, Katie Gibson, the center’s executive director, said in an interview. But that solution, she said, has to be tailored specifically for financially strapped nonprofits.
There are an estimated 170,000 not-for-profits in Canada – of which 80,000 are registered charities – ranging from one- or two-person operations to major hospitals. Depending on their mission, they may collect an excessive amount of personal or medical information about their customers.
of toronto hospital for sick children, scouts canada And this Ottawa Branch of the Salvation Army are among the large ones to have suffered recent attacks.
Gibson said very few Canadian non-profits are cyber mature. Many people adopt what is called “ostrich mode”, believing that their organization will not be in the cross-hairs of attackers.
Report, “Building the cyber security and resilience of Canada’s non-profit sector,” supports her. “Few nonprofits have data security and privacy on their radar as a basic operational requirement,” the report said. “Most nonprofits are less and mission-focused and digital There is a lack of a strong culture of awareness and security. Many nonprofit leaders believe they are not large or prosperous enough to be targeted for cyber threats, nor do they consider the cyber risks associated with accidental or natural events.
The report notes that those who fund non-profits rarely fully appreciate cyber security as a standard program cost, so non-profits often miss out on the most basic cyber security measures. There is shortage of money. The report also states that most do not have a CIO, many do not even have internal IT resources, and it is very rare for nonprofits to have a CISO.
The report came out of a working group consisting of representatives from the by and large
Small Nonprofits, Nonprofit Capacity-Builders, Nonprofit Funders, Policy Makers, Academics,
Cyber Security Specialist, and Cyber Security Vendor.
The paper does not include a how-to list, although it does include links to free resources that non-profits can take advantage of, including the Canadian Center for Cyber Security, the Digital Governance Council’s Baseline Cybersecurity Control Small and Medium Organization, NTEN Cyber Security Bundle of Courses for Nonprofit Staff, and Cyber Security Resource Compilation by the US National Council of Nonprofits in the United States.
“Many cyber security resources available today do not require significant investment, and many good cyber security practices can be adopted at low cost,” the report said.
It stipulates that there are five purposes a nonprofit must have:
Nonprofit boards, officers and employees must understand their risks and obligations and make cyber security a priority;
– They should have a smooth on-ramp to cyber security, starting with contextual risk assessment that prioritizes preventive, focused action at different maturity levels;
– they must have access to a standard against which they can compare themselves and which is accepted by funders;
– They must have the funds to implement the necessary cyber security practices;
– and they must have access to a marketplace of vendors providing quality, cost-effective solutions.
To help organizations meet these objectives, the report’s working group will develop and test several prototypes. This includes what it calls a “cybersecurity on-ramp” in the immigration and refugee settlement sector, which includes a risk assessment process. Initially, the nonprofit will help with this prototype, which will later be expanded to other areas.
A model cyber security policy for social services is also being formulated. This will be done in partnership with the Islamic Family and Social Service Association, with the goal of being adopted by other social service organizations.
No timeline has been set for delivering an on-ramp prototype or cyber security policy.
Launched 12 months agoThe non-profit Canadian Center for Digital Resilience was founded by Digital Governance Council (formerly CIO Strategy Council), the Tamarack Institute, nten, Social Economy through Social Inclusion (setsi), and Imagine Canada.
In the interview, Gibson said that governments can help nonprofits by providing financial help with improving their IT and cyber security capability, noting that nonprofits often help governments by providing services.
The tech sector can also help by understanding the needs of nonprofits, he added. IT companies can also help volunteers for the Centre’s projects.
Technology groups affiliated with the center include Cisco Systems, the Canadian Internet Registry Authority (CIRA), Amazon, PayPal, Sage Group, Boundstate Software, and Toronto Metropolitan University’s Rogers Cybersecure Catalyst.
