Cybersecurity is top of mind for many not-for-profit organizations and municipalities we work with at Open North. Several of our partners come to us with questions about cybersecurity, often worried about their exposure to cyberthreats or possible attacks. For others, cybersecurity is not a worry until projects on data, privacy, or information technology (IT) make security gaps evident. Once this happens, it is hard to ignore the glaring risks that make an organization vulnerable. Finally, events completely outside of the control of organizations can lead to cybersecurity woes. For example, last year a single faulty update from cybersecurity provider CrowdStrike led to a catastrophic global outage, rendering hundreds of thousands of Microsoft Windows systems inoperable. This event came to be known as blue screen Friday. Recognizing these worries, Open North continues to work to ensure and encourage all our partners and clients to shift to a proactive and preventative approach to cybersecurity whenever possible.
In this blog post, we link broad concerns to the cybersecurity context in Canada, and we discuss Open North’s approach for cybersecurity specific to small and medium sized organizations. It is our hope that we can partner with not-for-profits, municipalities, and civic-minded partners by supporting over-stretched leaders and executives in the sector, placing adequate resources and thought leadership in strengthening their organizations’ security posture and strengthening security practices against best practices.
The consequences of a cybersecurity incident are devastating. From halting organizational operations, to sensitive data breaches and reputational damage, a cybersecurity incident poses an existential threat to any organization. Small and medium sized organizations are particularly susceptible. Given their size and operating environment, these organizations often rely on trust and close relationships with key partners, stakeholders, and clients. Additionally, small and medium sized organizations often do not have the immediate financial means to absorb a crisis or mitigate its effects. In short, damage to their reputation or capacity to deliver services can be an existential blow — destroying funding relations, straining revenue streams, and devastating customer trust.
Cybersecurity threats are constantly evolving. A month does not go by without news of malicious actors finding new ways of causing disruption. On the other hand, there are a myriad of resources, standards, and guides to help organizations protect themselves. Navigating these resources can be daunting, especially if one isn’t familiar with some of the technical terminology used or the time to learn the terminology. Small organizations tend to overlook cybersecurity, and they are often hampered by limited resources and the absence of specialized IT security personnel. The Canadian Centre for Nonprofit Digital Resilience (CCNDR) conducted a survey of approximately 50 organizations nationwide. Through their working groups, CCNDR discovered that organizations encounter numerous barriers when attempting to mitigate cybersecurity risks, ranging from insufficient awareness of the problem to inadequate financial resources.
Worryingly, cybersecurity can become salient to management when an organization is forced to respond to an emergency — either because a cybersecurity incident has happened or, more commonly, because changes to the operational environment require compliance to cybersecurity best practice. These operational changes can include new legislation being introduced in a given jurisdiction, insurance requirements, or expectations from funders and partners. For example, the Personal Information Protection and Electronic Documents Act, Canada’s federal privacy legislation, sets out a legal obligation for private sector organizations to safeguard personal information. This obligation includes “safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.”
In our experience, reacting to these changes is not conducive to improving organizational practice around cybersecurity. Often, the drive to meet requirements or “fix” vulnerabilities misses the point. Cybersecurity best practice entails building of technical capabilities and creating a culture around existing risk and possible mitigation actions. These actions need to be prioritized to balance need with minimizing impact on the day to day operations. This is not a superficial effort to be done at a time of crisis.
For small organizations with limited budgets and overstretched capacity, prioritizing actions to mitigate cybersecurity is a balancing act between what is necessary and what risks are tolerable to an organization. Furthermore, existing standards and guidelines are not aligned with the realities and constraints of small organizations. Operationally speaking, an organization of 300 staff is very different from an organization of 10, where the executive director is also head of operations and head of fundraising. Right-sizing standards and guides is necessary for small organizations to maximize the usefulness and impact of best practice, recommendations, and actions.
Our approach at Open North is to address these specific concerns through discovery processes and in-depth conversations with our partners to understand their unique risk environment, strategic priorities, and existing capabilities. Afterwards, we are able to implement reasonable recommendations and actions based on best practice, budget, and capacity constraints. Our aim is to create a culture of risk identification and mitigation in organizations we work with — so that in turn our clients can respond to changes in the threat environment.
If you would like to learn more about our approach to cybersecurity, we recommend exploring our new cybersecurity guide or visiting our cybersecurity services page. Do not hesitate to contact Open North if you would like to start building your cybersecurity practice and culture.