This story was produced thanks to a partnership between Future of Good and RBC. RBC is proud to support a broad range of community initiatives through donations, community investments and employee volunteer activities. See how at rbc.com/peopleandplanet. See FOG’s editorial ethics and standards here.
Partnered Partnered content Non-profits are increasingly being targeted for cybercrime. Here’s how your organization can help protect itself
Being cybersecure doesn’t have to be daunting or expensive. A panel of experts discuss ways the non-profit and charitable sector can help protect itself in a constantly changing AI landscape.
Why It Matters
Cyberattacks are becoming a growing threat that experts say many non-profits are underestimating. The increase in AI sophistication has shown that even the smallest organization can be a target, underscoring the importance of cybersecurity for every size of non-profit.
As cyberattacks become cheaper and easier to launch , experts say small organizations can take simple steps to help protect themselves from becoming a target.
“The non-profit sector specifically,” said Claudette McGowan, chair of Cyber Nations Foundation.
“I don’t know how many organizations would put their hand up to say, ‘We have too much money, we don’t have to worry about these things’,” she added.
“It is known that we are struggling and have different challenges financially…And so, knowing that there probably isn’t a chief information security officer, there probably isn’t an incident responder, there probably isn’t vulnerability scanning and assessments being done, this is what makes this sector so attractive [for cyberattacks],” she said.
Her message was shared during RBC’s free Building Cyber Resilience for your Non-profit session hosted by Future of Good on April 23.
Hundreds of participants signed up to hear from an expert panel to discuss cybersecurity risks, emerging threats, and how the non-profit sector can help protect itself against them.
“It is a core value as an organization to help the communities that we serve,” said Adam Evans, senior vice president and chief information security officer at RBC after the event.
“This is one of the ways that we do it, it’s knowledge sharing, sitting with people, and sharing best practices,” he said.
Fourty-three per cent of Canadian organizations in the public, private and MUSH (municipalities, universities, schools and hospitals) sectors were targeted in a cyberattack last year, while 42 per cent experienced a breach of customer or employee data, according to the Canadian Internet Registration Authority (CIRA).
As the rise of sophisticated AI technologies continues, RBC warns that non-profits, charities and social purpose organizations need to be more vigilant.
“Maybe a number of years ago, security was more optional. But as we continue to digitize the services that we provide to people or the mechanisms by which we can make those services accessible, … the attack surface, or the digital sprawl, grows,” said Milos Stojadinovic, Senior Director of advanced threat operations for RBC.
“As that grows, so does the cost and the complexity of securing this kind of infrastructure and ecosystem and applications and people.”
The biggest cybersecurity risk isn’t necessarily new threats, but rather how existing threats can be made faster, cheaper and more scalable, said Stojadinovic.
“Phishing is a pretty significant component and it’s not the phishing of yesteryear. There’s no typos. Things look very real.” he said.
“AI can do the research to find people’s social media profiles, understand what’s going on in their organization, home, and more importantly, the relatively low cost of orchestrating these kinds of attacks at scale means that it’s not a campaign, it’s a new sustained pressure that organizations are going to be seeing.”
“There is a removal of barriers of entry into criminal behavior. Language isn’t a barrier anymore. Cost isn’t a barrier anymore. Skills are no longer a barrier,” said Evans.
Protection challenges
Rising costs, declining charitable donations and an increased demand for services have stretched organizations to their limits, making cybersecurity an afterthought.
The challenge is also structural, according to Wilfreda Edward, executive director of the Canadian Centre for Non-profit Digital Resilience.
“Although the problem may seem to be rooted in technology, it’s actually a funding problem that has equity consequences. It’s rooted in decades of digital infrastructure being treated as overhead and funders traditionally don’t fund overhead,” said Edward.
At the same time, cyber threats are becoming more sophisticated and easier for attackers to exploit.
“It’s the combination of complexity, as well as the lowering of the barrier to entry into the cybercrime world, that I think is creating quite a dangerous climate for organizations,” said Stojadinovic.
“Certainly small, medium organizations and non-profits are trying to allocate those funds as much as they can that are core to what their business model is,” Stojadinovic added.
For many non-profits, the challenge comes down to balancing priorities with limited budgets.
“Obviously everyone’s trying to stretch the same dollar,” said McGowan. “That prioritization of the dollar is a struggle.”
“We are mission-driven, purpose-oriented organizations, so we’re going to put the funding into where you make the biggest impact. So, some of the trade-offs are ‘How much do I have to invest in security versus doing the thing that I’m mandated to do?’” said Claudette.
Non-profits face additional pressure to protect sensitive data, as many serve vulnerable and marginalized populations.
“The more data you have, the more you understand about a population of people or communities, and that puts a non-profit at risk,” Evans said.
Actionable steps
Implementing policies can be one of the fastest paths and cost-effective ways for organizations to become cybersecure, according to McGowan.
“When people are thinking about cybersecurity and investment, they think it has to be the latest software or it has to be a piece of hardware,” she said.
However, she says using two-factor authentication and never repeating passwords is just as effective.
“In many cases, it could be about configuration settings, policies, processes, things that you’re doing like tabletop exercising, practicing ‘What would you do, should the bad day occur?’”
She points to resources like the Canadian Centre for Cybersecurity or the National Institute of Standards and Technology, which offer free frameworks and checklists that non-profits can use.
“Be curious, don’t wait for the crisis to become curious, be curious and say ‘What can I do to learn more now?”
Stojadinovic recommends running simulations to practice responding to cyberattacks before they happen.
“Say, ‘Okay some kind of cyberattack happens, the service becomes unavailable. We can’t deliver this product. What does that mean to our organization? How would we recover?” said Stojadinovic.
Evans recommends that organizations especially consider strong authentication for critical accounts, such as Gmail.
“A lot of compromises that we see, they compromise the Gmail account first because more than likely they’ll find a copy of somebody’s government-issued ID in there. They’ll see a tax return. Interactions with businesses, whether it be banks or otherwise, it’s a treasure trove of information,” said Evans.
“Threat actors are, for the most part, not overly discerning about who they attack.”
RBC and RBC Foundation have launched the RBC Stronger Nonprofits Program and online hub – part of their ongoing commitment to help strengthen the capacity and resilience of the non-profit sector.
RBC Stronger Nonprofits is helping non-profits bridge the digital skills gap and improve operational efficiencies through access to tools, training, and systems, including:
- AI literacy and adoption
- Data management and governance support
- Cybersecurity protection
Learn more: rbc.com/strongernonprofits
Your job. Your mission. Your news.
With your support, the sector you're building gets the journalism it deserves, and you get a tax receipt.
At RBC, we believe that thriving communities can create opportunities for all. With urgent environment needs, a rapidly changing workforce and growing inequalities in our society, RBC aims to tackle today’s challenges head-on. That’s why RBC is supporting the transition to a net-zero economy, equipping people with future-ready skills, and driving inclusive opportunities for greater prosperity. In collaboration with Future of Good, we’re showcasing those efforts and the stories accompanying them.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. The information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.
Author
Related Articles
Canadian astronaut, entrepreneur donates $15M to Concordia to launch new space school
Montreal’s Concordia University will be the home of the Mark Pathy Space Institute.
A race to regulate: Canada falls behind as the EU sets AI legislation
After Canada’s failed attempt to pass artificial intelligence legislation, other jurisdictions like the European Union have pushed forward with comprehensive rules. Experts say Ottawa could take lessons from their model.
CCNDR to expand cybersecurity resources for non-profits with new CoLab
In a recent survey of 8,000 non-profits, CCNDR also found that equity-denied organizations face significant barriers in digital skills and training.
