Cybersecurity attacks have become a feature of life for many businesses in the past few years, and sadly, nonprofits have not been spared. Recent targets that have drawn media attention include community foundations, community service providers, library systems, school districts, post-secondary institutions, and hospitals. So, what are nonprofits doing to avoid cybersecurity attacks and/or mitigate their impact if they do occur? Imagine Canada recently acquired data on nonprofits from the 2021 Canadian Survey of Cyber Security and Cybercrime, which shed light on the state of cybersecurity in Canada’s nonprofit sector.1 This blog post discusses some of the survey’s most interesting findings.
Statistics Canada has conducted the Canadian Survey of Cyber Security and Cybercrime every two years since 2017. Nonprofits have been included in the survey since its inception, but the data for nonprofits are not publicly available. Imagine Canada recently acquired the data for nonprofits from the 2021 survey (results from the 2023 survey have not yet been released). It is important to note that this survey only includes organizations and businesses with ten or more staff. Statistics Canada defines small organizations/businesses as those with 10 to 49 employees; medium-sized organizations/businesses have 50 to 249 employees; large organizations/businesses have 250 or more employees.
Nonprofits lead for-profits in technology adoption and cybersecurity measures
While nonprofits may perceive themselves as behind for-profits regarding technology adoption, the survey results indicate this is not the case. In fact, they show that nonprofits outpace for-profits in technology adoption across nearly all categories, including websites, social media, e-commerce, and cloud computing. This pattern holds for all sizes of organizations, but the gap is largest among small ones. For example, 81% of small nonprofits use social media compared to only 66% of small businesses, and 70% of small nonprofits use cloud computing or storage compared to only 52% of small businesses.
Nonprofits also lead for-profits in the adoption of most cybersecurity measures. Eighty percent of nonprofits report using email security, compared to 72% of for-profits; 79% report using anti-malware software, compared to 74% of for-profits; 72% report using network security, compared to 67% of for-profits; and 60% report using web security, compared to 50% of for-profits. Less commonly used cybersecurity measures include mobile security (48% of nonprofits), data protection and control (42%), and software and application security (33%). The widespread use of email security and anti-malware software may be attributed to the availability of free and discounted resources for nonprofits from major providers such as Microsoft and Google, which have these features built into their platforms.
Cybersecurity incidents affect organizations of all sizes
Despite their precautions, nonprofits are as likely as businesses to report experiencing a cybersecurity incident that impacted them. Eighteen percent of nonprofits reported experiencing a cybersecurity incident in 2021, as did 18% of businesses. The average total cost to recover from cybersecurity incidents was $19K. The likelihood of experiencing a cybersecurity incident increases with organization size. Still, no one is immune: 16% of small organizations reported incidents, compared to 25% of medium-sized organizations and 35% of large ones. While small organizations may feel they are unlikely targets for cyberattacks, holding internally-valued data may be sufficient rationale for an attacker. The increasing automation of cyberattacks also allows potential vulnerabilities to be discovered and exploited at scale without regard for the size of an organization.
Beyond dollars: Nonprofits face disruption during cybersecurity incidents
Beyond the direct costs of cybersecurity incidents, there are also indirect costs. Among nonprofits reporting a cybersecurity incident, 27% said the incident prevented the use of resources or services. For many nonprofits, this could mean that key service delivery, fundraising, and communications functions become inaccessible due to cybersecurity incidents. Additionally, 21% of nonprofits that experienced a cybersecurity incident said employees required additional time to carry out their work, and 16% said it prevented employees from doing so.
Nonprofits spend half as much as for-profits on cybersecurity prevention and detection
Even though nonprofits are as likely as businesses to experience a cybersecurity incident, they spend significantly less on cybersecurity prevention and detection ($21K annually, on average, compared to $55K). This may be due to a lack of unrestricted funding and/or specialized funding for cybersecurity in nonprofits. Overall, 36% of nonprofits have no employees with regular tasks related to cybersecurity. More than half of these (53%) say they use consultants and contractors rather than staff, but 39% say they have no staff because they lack the resources to hire them.
Cybersecurity training gaps put small nonprofits at risk
There is a significant disparity in rates of cybersecurity training among nonprofits depending on their size. Only 14% of small nonprofits provide cybersecurity training to their IT staff, compared to 31% of medium-sized nonprofits and 65% of large ones. Similar differences exist for training non-IT staff, with only 17% of small nonprofits providing such training, compared to 27% of medium-sized nonprofits and 60% of large ones. Training is certainly an additional cost for cash-strapped nonprofits, but it’s important for risk mitigation, and insurance providers are increasingly requiring at least basic cybersecurity and phishing training.
Lack of awareness of cybersecurity standards leaves many nonprofits vulnerable
Adhering to cybersecurity standards is a way to reduce risk, yet most small and medium-sized nonprofits are unaware of these standards. Only 7% of small nonprofits and 15% of medium-sized ones said they were aware of the existence of cybersecurity standards, compared to 54% of large nonprofits. This may be because large nonprofits are more likely to have dedicated cybersecurity staff who would be aware of standards. There are, however, several standards that small and medium-sized nonprofits can use (see Resources section below).
Resources
There are several free resources that organizations can use to improve their cybersecurity.
Foundational cyber security actions for small organizations is a great starting point for organizations looking for a list of basic actions they can undertake.
Baseline Cyber Security Controls for Small and Medium Organizations CAN/CIOSC 104: 2021 is another helpful resource. This document outlines a national standard for baseline cybersecurity controls to help guide implementation efforts. Appendix B also contains a basic cybersecurity assessment list.
The Bigger Picture
It’s important to remember that cybersecurity is part of the bigger picture of digital transformation. Robust technology practices and policies should support cybersecurity efforts. Fortunately, there are some helpful tools to assist in the broader journey of digital transformation. These include NTEN’s Tech Accelerate and the CanadaHelp’s Charity Growth Academy. Both offer free assessment tools to evaluate technology adoption, practices and policies, and resources and recommendations to improve.
As nonprofits continue to embrace technology to drive their missions, effective implementation of cybersecurity and digital transformation necessitates efforts from funders, policymakers, and nonprofit leaders to increase awareness, provide training and ensure that these efforts are properly resourced.
The Canadian Centre for Nonprofit Digital Resilience (CCNDR) was established to help nonprofits become digitally enabled. If you would like to receive updates on digital transformation, tech, data, and cybersecurity, sign up for the CCNDR mailing list at CCNDR.ca and follow CCNDR on LinkedIn.
1 Statistics Canada. (October 18, 2022). The Impact of cybercrime on Canadian businesses, 2021.
