Skip to Content
Apply Donate

Ready or Not: Data suggests charities in Canada vulnerable to data security threats

It’s not uncommon these days to hear news of yet another private company, healthcare provider, government agency or individual experiencing some form of data security breach. These accounts often describe the shock, turmoil and deep sense of vulnerability that people at the receiving end of these incidents are dealing with, alongside the very real and serious risks that data security breaches present, such as theft and misuse of private information (and associated legal implications), disruption of the integrity and effectiveness of key operating systems, and potential reputational damage for those affected.

IBM’s 2023 Cost of a Data Breach Report also importantly highlights the financial toll of a data breach that is incurred through responding to an incident from “detection and escalation, notification, post-breach response and lost business” (2023, p. 72). The global report, which covers breaches from a range of sectors including among non-governmental organizations, indicates that Canada sits as the country with the third highest average cost for a data breach at $5.13 million USD (Canada also reportedly ranked #3 in 2022) (IBM 2023, p. 11).

The charitable sector in Canada is not immune to these types of threats as recent incidents affecting the Canadian Red Cross, the Salvation Army, Scouts Canada, and the Toronto Public Library (to name only a few) unfortunately showcase. Charities across Canada are privy to and entrusted with sensitive, private information from medical records, to personal contact and financial details, to service delivery records, to opinion data, and as Imagine Canada pointed out in its trend analysis in 2023, the significant digital transitions many charities undertook over the course of the pandemic have exposed more organizations to cyber risks that require a proactive approach to effectively mitigate (Barr and Jensen 2023).

Despite the documented risks facing charities, when the Charity Insights Canada Project (CICP) surveyed Canadian charities in July 2023 about the types of technological advancements charities had put in place in recent years, cybersecurity and data protection measures was only the 7th most frequently selected option. Another CICP survey in September 2023 found that only 19% of responding charities were “very confident” in their organization’s data security and privacy measures and only 26% of responding charities assessed themselves as having strong encryption and access controls in place around sensitive donor and beneficiary data. While these results suggest there are evident data security gaps/areas for improvement for many charities, a CICP survey conducted in January 2024 indicates that data security is not anywhere near to being a top priority in the next twelve months for most organizations and that technological disruptions are not perceived to be a significant emerging challenge or risk by most respondents.

The probability of a data security breach and its likely impact may vary between charitable organizations, but that reality hasn’t stopped some from engaging on this issue from a sector-wide perspective and taking to heart the saying that “Prevention is better than cure”. Community Foundations of Canada, for example, published a fact sheet in 2021 on cybersecurity and privacy to help equip non-profits in Canada with critical information about risk factors, prevention measures and obligations in the wake of a data security breach (Community Foundations of Canada 2021). The Canadian Centre for Nonprofit Digital Resilience also published a vision and strategy for the sector in 2023 that outlines the nature of the cybersecurity threat facing the sector and includes a set of strategic objectives that help identify priority action areas. (Canadian Centre for Nonprofit Digital Resilience 2023). Charities in Canada have also shared their views on some of the barriers they face in strengthening their data security measures and the types of support that would better enable them to mitigate the risks, such as dedicated funding, training/education, and access to expertise (Edwards 2022, p. 3-6; CICP 2023, Week 37).

The cybersecurity risk environment is undoubtedly complex and dynamic. However, at a time when so many Canadians are relying on the contributions of charities and when charities are dealing with so many competing priorities, it is important that they are supported to fully understand the realities of the threat environment they are operating in and are assisted to identify and address gaps in their systems before these gaps are potentially weaponized against them.

–The CICP team

Want to receive our blog posts directly to your email?  Sign-up for our newsletter at the following link, and follow us on social-media for regular project updates:

Newsletter sign up: https://confirmsubscription.com/h/t/3D0A2E268835E2F4

This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies and how you can change your settings.