Get Started
Whitepaper · January 2026

Cybersecurity for Canadian Charities

A practical guide to cyber resilience—for organizations of every size. Board-level oversight, budget-conscious controls, and measurable outcomes.

Reading Time 14 min
Updated January 2026
Audience Board & Executives
Begin Reading

Why This Matters Now

Cyber threats don’t discriminate by organizational size. The same attackers targeting banks and hospitals are targeting charities—often with higher success rates because resources are thinner and the assumption is “we’re too small to be a target.” That assumption is dangerous.

According to UC Berkeley’s CyberCAN research, 85% of nonprofit organizations have experienced at least one cyber attack. Canadian charities face similar threats: the 2024 CIRA Cybersecurity Survey found that 74% of Canadian organizations that experienced ransomware paid the ransom—highlighting widespread lack of preparedness. This isn’t a problem reserved for large institutions with deep pockets—small community organizations, food banks, and local service providers are equally at risk.

The uncomfortable truth: Nonprofits have become the second-most targeted sector by cybercriminals, accounting for 31% of all nation-state attack notifications detected by Microsoft. Why? The sector is what security experts call “cyber-poor, target-rich”—limited security budgets protecting valuable donor and beneficiary data.

The 2026–2027 threat picture is shaped by two forces accelerating simultaneously: cybercrime at scale (credential theft, phishing, ransomware extortion) and AI-enabled social engineering (more convincing impersonation, faster targeting, lower attacker skill threshold).

For charitable organizations, the stakes are compounded: public trust is central to the mission, and a breach doesn’t just cost money—it costs credibility with donors and the vulnerable populations you serve. But here’s the good news: the majority of risk reduction comes from a well-understood set of controls, many of which can be implemented with minimal or no budget.

Key Terms

Before diving into specific recommendations, here’s a quick reference for the technical terms used throughout this document.

Terminology Reference
MFA Multi-Factor Authentication — requiring two or more verification steps to log in
EDR Endpoint Detection & Response — advanced security software that monitors and responds to threats on devices
SaaS Software as a Service — cloud-based applications accessed via the internet (like Salesforce, Microsoft 365)
SOC Security Operations Center — a team or service that monitors for security threats 24/7
NIST CSF National Institute of Standards and Technology Cybersecurity Framework — a widely-adopted security guideline
CCCS Canadian Centre for Cyber Security — Canada's national authority on cybersecurity
RTO / RPO Recovery Time/Point Objectives — how quickly you need systems back and how much data loss is acceptable
PIPEDA Personal Information Protection and Electronic Documents Act — Canada's federal privacy law

Key Findings

Recent research paints a clear picture: charitable organizations face the same threats as commercial enterprises, often with fewer resources to defend against them.

30% increase in weekly attacks on nonprofits (2024) Integrity360
68% of breaches involve human element (phishing, error) BDO
70% of nonprofits lack formal cybersecurity policies Network Depot
99.9% of automated attacks blocked by MFA Microsoft

The “Front Door” is Identity and Email

Most real-world charity incidents begin with phishing, credential theft, mailbox compromise, or vendor impersonation. The technical infrastructure may be sound—but if someone can log in as a legitimate user, the perimeter is meaningless. This is why multi-factor authentication (MFA) is consistently the highest-impact, lowest-cost security measure available.

Ransomware Has Evolved

Modern ransomware has shifted from pure disruption to extortion. Attackers frequently steal data before encrypting systems, then pressure victims with threats to publish sensitive information (“double extortion”). Organizations unprepared to recover independently often face the impossible choice between paying ransoms or losing operational capability—a situation that’s particularly dire for charities serving vulnerable populations.

Third-Party Platforms Expand Risk

Charities increasingly depend on SaaS vendors for fundraising, CRM, payments, accounting, and collaboration. Research shows that 75% of nonprofits collect sensitive personal information (SINs, banking details, health data), yet 53% have no full-time IT staff. In Canada, this creates PIPEDA compliance risks in addition to security concerns. Your security posture is only as strong as your weakest vendor integration.

Threat Landscape

AI is amplifying fraud and impersonation risks. Charities of all sizes should expect more attempts at executive impersonation, vendor banking change scams, and “urgent request” fraud patterns.

AI-Enabled Threats: Deepfake voice technology now enables convincing real-time impersonation of executives. A single phone call requesting an “urgent wire transfer” can bypass traditional verification if staff aren’t trained to recognize the pattern. These tools are increasingly accessible to low-skill attackers.

Real-World Examples

Recent attacks on Canadian and international nonprofits demonstrate the scope of the threat:

  • Canadian Blood Services (2024)

    Ransomware attack disrupted operations and compromised personal data of approximately 34,000 donors. The organization notified donors, implemented credit monitoring, and worked with CCCS to investigate the incident—demonstrating the critical importance of incident response planning.

  • SickKids Foundation (2022)

    Toronto's Hospital for Sick Children experienced a ransomware attack attributed to the LockBit gang that disrupted clinical operations for weeks. While SickKids is a hospital, its foundation (a registered charity) was also impacted—highlighting how attacks on healthcare organizations affect affiliated charitable entities.

  • International Committee of the Red Cross (2022)

    Sophisticated attack compromised personal information of 515,000 vulnerable people, hampering their ability to reconnect families following disasters. Included for scope: even organizations with substantial resources face these threats—smaller Canadian charities are at even greater risk.

These aren’t outliers. Canadian charities face the same reality as global organizations: attackers don’t distinguish between a large international nonprofit and a local food bank. Both hold data worth stealing and both can be pressured into paying ransoms.

Starting With What You Have

Cybersecurity is not a “nice to have”—it’s a “must have.” But that doesn’t mean it requires a massive budget. The most important controls can be implemented at little or no cost. Start somewhere. Anything is better than nothing.

Zero-Cost Controls
Start today with no budget
  • Enable MFA on email — Most email providers (Microsoft 365, Google Workspace) include MFA at no additional cost. This single control blocks 99.9% of automated attacks.
  • Staff awareness training — Teach staff to recognize phishing and report suspicious messages. Free resources available from CCCS.
  • Verbal verification for payments — Require phone confirmation for any banking changes or wire requests. Zero cost, high impact.
Low-Cost Controls
Under $500/year for most organizations
  • Basic endpoint protection — Modern antivirus/anti-malware with automatic updates. Nonprofit pricing often available.
  • Backup verification — Test that your backups actually work. This is process, not product—schedule quarterly restore tests.
  • Password manager — Solutions like Bitwarden offer free tiers; enterprise options available at nonprofit discounts.
Investment Controls
When budget allows, add these layers
  • EDR (Endpoint Detection & Response) — More advanced than basic antivirus, with monitoring and incident response.
  • Penetration testing — Have experts attempt to breach your systems and report vulnerabilities.
  • Managed security services — Partner with specialists who can monitor and respond to threats 24/7. Particularly valuable for organizations without dedicated IT staff.

Boards need to understand that implementing cybersecurity measures are not “nice to haves”—they are “must haves.” Do what you can, with what you have. There are things you can do today, with no money, that dramatically reduce your risk.

Minimum Viable Controls

These controls address the majority of common attack paths and map cleanly to Canadian and international frameworks. They are also the most frequently scrutinized by cyber insurers—making them a practical benchmark for “adequate controls.”

  • MFA Everywhere It Matters

    Email, admin consoles, SaaS applications, remote access. This single control blocks 99.9% of automated attacks (Microsoft). Often available at no additional cost with existing services.

  • Least Privilege + Admin Separation

    No standing admin access. Separate accounts for administrative tasks. Remove local admin rights where possible. This limits damage if any single account is compromised.

  • EDR / Endpoint Protection

    Modern endpoint detection and response with monitoring and incident workflow. Legacy antivirus is no longer sufficient against sophisticated threats.

  • Patching Discipline

    Operating systems, applications, firewalls/network devices, and website/CMS/plugin updates. Automated where possible. Many breaches exploit known vulnerabilities with available patches.

  • Ransomware-Ready Backups

    Offline or immutable backups with regular restore testing. "We have backups" is not evidence; "we restored successfully on [date]" is. Test quarterly at minimum.

  • Email Security Controls

    Phishing protection, SPF/DKIM/DMARC configuration, and impersonation safeguards. The email gateway is your most critical perimeter—it's where 68% of breaches begin.

Bottom Line

Cybersecurity for charities isn’t about achieving perfection—it’s about reasonable risk reduction within your means. Start with zero-cost controls (MFA, awareness training, verbal verification). Add low-cost protections as budget allows (endpoint protection, backup testing). Invest in advanced capabilities when mission-critical operations justify the expense.

The uncomfortable reality is that a breach is no longer a question of “if” but “when.” Organizations that prepare accordingly—with tested backups, incident response plans, and staff trained to recognize threats—recover faster and with less reputational damage than those caught unprepared.

Need Help Getting Started?

Telos One provides vendor-agnostic cybersecurity consulting for Canadian charities and nonprofits. We help you assess current risk, prioritize controls, and implement practical defenses within your budget.

Schedule Consultation Free Resources

Contents