A “huge number” of non-profits have been victims of cyberattacks, risking the data of vulnerable groups, according to a new working group.

This independent journalism on data, digital transformation and technology for social impact is made possible by the Future of Good editorial fellowship on digital transformation, supported by Mastercard Changeworks™. Read our editorial ethics and standards here.

At the end of 2022, the team at Scouts Canada had been winding down in time for the Christmas break. With just over a week to go, on December 17th, the organization’s online registration platform, MyScouts, experienced a data breach: a ‘bad actor’ had gained access to the MyScouts system, where parents can register their children for Scouting activities, and volunteers can also register to work. 

This breach would have allowed cyber-criminals to access personal information and data that parents and volunteers were inputting into the MyScouts system, which was first launched in 2012, and has regularly been updated since. CEO Andrew Price estimates that around 450 users accessed the MyScouts page in the time that the breach was occurring. 

While immediate investigations found that there wasn’t any evidence of the cyber-criminals accessing personal or financial data, the Scouts Canada team took the system offline, meaning both new and existing users were not able to access it. It remained inaccessible until January 19th. The timing was unfortunate, Price admits. “We had to bring in people from vacation to be able to respond,” he says. 

And while the exact financial impact of the breach is difficult to measure, Price estimates that it cost Scouts Canada “a couple of hundred thousand dollars.” He adds that a large figure like this has knock-on financial implications for other programming and service plans within the organization. 

And for the non-profit sector in particular, volunteers need to also be educated around cybersecurity and data risks. Since the volunteer population is likely to be larger than the number of internal staff an organization has, it’s critical that volunteers are educated about how their own behaviour can be exploited by cybercriminals, Price says. Training and upskilling volunteers as they join can mitigate these risks. 

What is holding the social purpose sector back from prioritizing cybersecurity?

Scouts Canada’s experience of a cybersecurity breach is just one of several that have hit social purpose organizations in Canada and globally. These incidents show that as the social purpose sector increasingly adopts technology and digital tools, they’ll increasingly be at risk of such cyber attacks as well. 

This is the backdrop in which the Canadian Centre for Nonprofit Digital Resilience (CCNDR) convened a working group made up of non-profits, funders, policymakers, and cybersecurity vendors. The goal was to build cybersecurity resilience in the sector, as well as addressing that “a huge number of non-profits have been victims [of cyberattacks] already,” said executive director Katie Gibson. Participants included Charles Buchanan, president and CEO of Technology Helps, and Amy Sample Ward, CEO of NTEN. 

“The problem is too big and too technical for every non-profit to tackle on its own,” Gibson adds. “We need a coordinated response.”

Earlier this year, the Centre released a report outlining the findings from the working group, which showed where non-profits are most vulnerable in their digital infrastructure, and how both funders and technology vendors can play a part in contributing to a more resilient social purpose sector. 

“Non-profits face many of the same threats as other organizations, but unique constraints in keeping their systems and data safe,” Gibson adds. Many fall victim to phishing attacks, where employees or volunteers may enter personal identifiable information into a database that looks legitimate, for example. The shift to working from home has also increased the likelihood of cybersecurity risks, as “people [non-profit workers] are sharing computers, and accessing client files from mobile devices,” Gibson adds. 

Ransomware – when cyberattackers block access to certain files or databases, and demand money in exchange for access – is particularly insidious, adds Jason Shim, chief digital officer at the Canadian Centre for Nonprofit Digital Resilience. “Ransomware attackers don’t care whether you’re large or famous. They only care that you have data that is important and valuable to your organization,” Shim says.

Around the same time as Scouts Canada’s systems were breached, the pediatric hospital SickKids was also subject to a ransomware attack. That led to impacted systems being taken offline as well. In a statement on the breach, the team said: “Clinical teams are currently experiencing delays with retrieving lab and imaging results, which may cause longer wait times for patients and families.” The internal human resources team also found that its internal timekeeping system was affected, meaning they had to activate an emergency recovery plan to ensure staff were paid on time. 

Another challenge is that small non-profits are often on the receiving end of either low-cost or donated hardware and software, which means they are “using systems that are well beyond the end of [system] support dates and not receiving [security] patches,” Gibson adds. It’s a well-meaning idea, according to Shim, “but non-profits need good hardware just like everyone else.” 

Beyond a lack of technical knowledge, non-profits are also often contending with a lack of knowledge about local regulation and their responsibility to protect the data they gather. As the report from CCNDR highlights, “many non-profits are unsure of their basic legal and compliance responsibilities. These regulatory requirements vary based on geography, data type, and activity being undertaken. It is incorrect to assume, however, that non-profits are exempt from privacy laws.” 

And finally, a unique circumstance that affects non-profits and social purpose organizations is that some operate as part of federations or associations. One participant in the working group said that “It’s difficult to figure out, establish and maintain boundaries,” especially with respect to who has ownership, power and responsibility over shared systems and data. 

What is the potential impact of a cybersecurity or data breach?

Because non-profits are encouraged to stay lean and mission-focused, most of them are not spending a lot of time considering their data security, Gibson says. Randy Purse, a senior cybersecurity advisor at the Rogers Cybersecure Catalyst at Toronto Metropolitan University, echoes this:

“Non-profits want to pile all of the resources they can into mission-dedicated activities, and that is often what investors and donors expect of them too.” 

However, despite the increased risk, Gibson says that “non-profits are afraid of reputational damage, and everyone is suffering in silence,” instead of having open and transparent discussions across the sector about what a robust cybersecurity policy or system looks like. “Investment in cyber protection is miniscule in comparison to the cost of remedial action when a breach happens.” 

For instance, in the month that the registration system was offline, the Scouts Canada team had to be in constant contact with its community – both parents and volunteers – to proactively mitigate potential reputational damage. “We sent emails to all members, and then to specific people who had been in the system at the time of their breach,” Price says. Each of the members affected was not only provided with a direct email address to communicate with Scouts Canada, but also a subscription to an identity theft protection service. For Price, this incident solidified that “it’s a question of when an attack like this can happen, not if.” 

Purse also warns that the frequency of cybersecurity and data breaches isn’t going to slow anytime soon, because there is a “low risk of prosecution or arrest, but a lot of potential for [cybercriminals to make] profit.” 

However, for non-profits in particular, the nature of the data they collect means that they’re putting vulnerable communities at risk by not investing in adequate cybersecurity infrastructure. “What is the impact of a data breach that discloses citizenship status, or someone who is fleeing domestic violence?” Gibson says. Putting vulnerable communities at risk of a data breach or identity theft puts them in even more of a precarious position, especially if they don’t have the awareness or finances to adequately protect themselves against these cyber risks.

Beyond Canada, the International Committee of the Red Cross was also subject to a large-scale cyber attack in 2022, in which a server that hosted the personal data of over 500,000 people was hacked. In the context of humanitarian aid, where people might be on the move and fleeing persecution, it’s even harder to contact those who may have been subject to a data breach. This is part of the reason that the ICRC has proposed a multi-state digital credential that protects medical and other critical facilities in the digital space too. In other words, those attempting to hack the critical digital infrastructure as a form of “digital warfare” will be reminded that the “systems and data they hold are protected from any harm under international humanitarian law in times of armed conflict,” the ICRC writes. 

How can the social purpose sector shift to making security a priority?

Following the report, the working group agreed to build and test a prototype of a cybersecurity strategy for the settlement sector, which serves newcomers, immigrants and refugees. The goal is to build a prototype that can be applied to the rest of the social purpose sector as well. 

CCNDR will also be working with the Islamic Family and Social Services Association (IFSSA) to build out an internal framework for a cybersecurity policy. In the organization’s existing cybersecurity policy – which was revised in October 2022, and will be revised again in June 2023 – there are several recommendations for how IFSSA can take proactive steps to reduce cybersecurity risk, which can be applied to other organizations as well. That varies from methods of gathering and storing data of both clients and donors, to managing physical spaces and devices. IFSSA’s cybersecurity policy also encourages staff to consider external threats, such as mis/disinformation, doxxing (when personal and identifiable information is shared publicly, with the goal of causing harm), and breaches to third-party technology vendors that they might be reliant on. 

But very few non-profits have a dedicated IT staff, let alone a security specialist on staff. In that environment, Gibson suggests, all existing staff members need to be educated on cybersecurity risks, regardless of their role. Everybody should be trained on recognizing phishing attempts, for instance, because “it only takes one staffer to let them in.” Shim adds that resource-constrained organizations may struggle to make this training a priority in their day-to-day work: “There could be a dedicated function for technology in the organization, but it doesn’t fall entirely on that one person. If someone’s credentials get phished, that impacts the entire organization and needs a collective response.” 

For Purse, a lot of the problem in making cybersecurity a priority in a non-profit organization stems from leaders not seeing IT as vital to the continuity of the business and the mission. He suggests that non-profit organizations take time to model the cost of a cybersecurity incident. “Could you track the costs of the incident itself, the time that the system is down, the resulting cleanup, and the potential withdrawal of funding due to a lack of trust or reputational damage? Could you compare that to the cost of taking care of an incident before it happens?” A mixture of qualitative and quantitative data can support different cost models and potential outcomes, as well as encouraging buy-in from philanthropic organizations to fund this work. 

And while Purse emphasizes that there are a number of free information programs and resources available to smaller organizations, the sector should approach these with caution. “There is a tendency towards low-cost or no-cost security solutions, but they don’t do a very good job. We’d be far better off if we could get the appreciation of the risk here, and more investment to have a cost-effective solution.” 

Cybersecurity in the non-profit sector has been historically underfunded, which raises “uncomfortable questions about the [current] state of IT systems and data collection practices,” Gibson admits. ”Nobody wants to turn over that rock and see what comes out.” 

“One barrier is that investment in cybersecurity doesn’t lend itself to a great photo opportunity. It’s not quantifiable, like the number of meals served or animals rescued,” Gibson says.

“It’s a rare funder that would appreciate cybersecurity as a program cost. It’s typically a cost that has to come out of unrestricted funding, which is already spread thinly.” 

Raine Liliefeldt, the director of member services and development at YWCA Canada, echoes this: “Government funders often ask non-profits to take on massive projects, and don’t provide them with enough resources to buy equipment. There isn’t enough funding for laptops, software or security systems if only a small percentage of the project funding goes to general overhead.”

Beyond funders themselves, cybersecurity vendors also have a large role to play in enabling a digitally resilient non-profit sector. “I’ve often seen two-factor authentication being offered as a premium solution, when that should be a default security feature,” says Shim. Cybersecurity vendors have a responsibility to provide software solutions that are not only user-friendly, but also accessible and affordable through non-profit pricing programs, he says. 

For Scouts Canada, Price says there are two main ways the organization was able to respond to the incident in a timely manner: planning for the amount of resources and staff time to manage the incident internally, as well as partnering with a managed services provider that they had thoroughly vetted during their contracting process, to ensure they had the technical expertise to handle a cybersecurity breach. The Scouts Canada team were then able to use this experience as a catalyst to develop a wider cybersecurity strategy alongside their technology partner. 

YWCA Canada had the opposite experience: one morning, the organization’s servers and data were possessed by cyber-attackers, who were asking for a ransom. Luckily, the YWCA Canada team had already backed up the data on an external hard-drive and didn’t need to pay the ransom, but they found that their IT supplier was less than helpful in this critical time. Instead, they found themselves relying on other partners in the social purpose space to help them out – which Liliefeldt believes is a conversation that needs to happen more openly and frequently. 

“We were passed from one customer service person to the next, and waiting on hold to get information. At that moment, I would have hoped that they would have been doubling down on their support efforts, as though they themselves had experienced a cyberattack. But that isn’t what happened.”

“The first thing we did was get out of the contract with our IT supplier and brought on another firm. It took us a while to get everything back. In bringing on this new firm, we standardized a lot, including establishing cloud-based infrastructure and making sure everyone was on the same system, such that our IT supplier could run remote security checks. We were walking through the darkness as an organization, but we had colleagues and friends who could guide us with flashlights. There wasn’t a set protocol – we had to build it ourselves.”

And while Purse believes that organizations “don’t need to be rocket scientists in order to be able to protect your networks,” the current shortage of technical specialists in Canada is an essential piece of context. “The extent of the talent shortage in Canada has never been fully defined, but the cybersecurity profession has become a hyperspecialization,” he says. “The demand is higher, and specialists’ rates per hour are higher, which makes it difficult for small organizations and non-profits to tap into that expertise. It might be cost prohibitive.”

Tell us this made you smarter | Contact us | Report error