Why This Matters Now
Canadian charities are operating in an environment where cyber risk is no longer "an IT problem." It is an operational continuity issue, a financial risk, and increasingly a trust-and-reputation risk with direct implications for donor confidence, beneficiary privacy, and funder due diligence.
The 2025–2026 threat picture is shaped by two forces accelerating simultaneously: cybercrime at scale (credential theft, phishing, ransomware extortion) and AI-enabled social engineering (more convincing impersonation, faster targeting, lower attacker skill threshold).
For charitable organizations specifically, the stakes are compounded: thinner security budgets, higher public trust requirements, and regulatory obligations under PIPEDA that can't be ignored. A breach doesn't just cost money—it costs mission credibility.
The good news is that the majority of risk reduction comes from a well-understood set of controls. Organizations that adopt an insurance-aligned baseline, govern it at the board level, and document evidence will be best positioned to protect donors and beneficiaries, maintain service delivery, and satisfy the expectations of funders and partners.
Key Findings
Canadian organizations report high levels of attempted or successful cyber attacks and a rising incidence of data breaches and ransomware. For charities, the same threat actors and techniques apply—often with higher impact.
The "Front Door" is Identity and Email
Most real-world charity incidents begin with phishing, credential theft, mailbox compromise, or vendor impersonation. This aligns with US and global breach reporting: the majority of breaches involve the human element and credential compromise. The technical infrastructure may be sound—but if someone can log in as a legitimate user, the perimeter is meaningless.
Ransomware Has Evolved
Modern ransomware has shifted from pure disruption to extortion. Attackers frequently steal data before encrypting systems, then pressure victims with threats to publish sensitive information ("double extortion"). Recovery success depends less on whether a ransom is paid and more on whether the organization can restore systems confidently, quickly, and safely.
Third-Party Platforms Expand the Attack Surface
Charities increasingly depend on SaaS vendors for fundraising, CRM, payments, accounting, and collaboration. This increases exposure to vendor breaches, configuration errors, and identity compromise across connected systems. Your security posture is only as strong as your weakest vendor integration.
Threat Landscape
AI is amplifying fraud and impersonation risks. Charities should expect more attempts at executive impersonation, vendor banking change scams, and "urgent request" fraud patterns.
AI-Enabled Threats: Deepfake voice technology now enables convincing real-time impersonation of executives. A single phone call requesting an "urgent wire transfer" can bypass traditional verification if staff aren't trained to recognize the pattern.
Primary Attack Vectors
-
Business Email Compromise (BEC)
Attackers impersonate executives or vendors to redirect payments or extract sensitive information. AI makes these attempts more convincing and personalized.
-
Credential Theft
Stolen or weak passwords remain the easiest path into organizational systems. Without MFA, a single compromised credential can expose everything.
-
Ransomware with Data Exfiltration
Modern ransomware operators steal data before encryption, creating dual pressure: pay to decrypt AND pay to prevent publication of donor/beneficiary information.
-
Supply Chain Compromise
Attackers target vendors and service providers knowing they provide access to multiple downstream organizations. One compromised fundraising platform can affect thousands of charities.
Minimum Viable Controls
These controls address the majority of common attack paths and map cleanly to Canadian and international frameworks. They are also the most frequently scrutinized by cyber insurers—making them a practical benchmark for "adequate controls."
-
MFA Everywhere It Matters
Email, admin consoles, SaaS applications, remote access. This single control eliminates the majority of credential-based attacks.
-
Least Privilege + Admin Separation
No standing admin access. Separate accounts for administrative tasks. Remove local admin rights where possible.
-
EDR / Endpoint Protection
Modern endpoint detection and response with monitoring and incident workflow. Legacy antivirus is no longer sufficient.
-
Patching Discipline
Operating systems, applications, firewalls/network devices, and website/CMS/plugin updates. Automated where possible.
-
Ransomware-Ready Backups
Offline or immutable backups with regular restore testing. Your backup strategy is only as good as your last successful restore test.
-
Email Security Controls
Phishing protection, SPF/DKIM/DMARC configuration, and impersonation safeguards. The email gateway is your most critical perimeter.
-
Security Awareness + Simulations
Regular training with clear user reporting paths. Staff need to know both what to watch for and how to report suspicious activity.
-
Payment Verification Workflows
Formal verification for vendor banking changes, PAD/wire requests. Out-of-band confirmation prevents the majority of payment fraud.
-
Incident Response Plan + Tabletop
Documented roles, contacts, communications plan, and legal/privacy steps. Tested through tabletop exercises at least annually.
-
Vendor Register + Security Expectations
Documented list of vendors with minimum security requirements: MFA, breach notification clauses, access scope limitations.
Framework Alignment
Boards do not need to become technical. They do need to ensure a consistent baseline of controls is funded, implemented, and evidenced. The most defensible approach aligns with established frameworks.
| Framework | Focus | Best For |
|---|---|---|
| CCCS Baseline Controls | Pragmatic "80/20" security approach | Canadian organizations seeking practical guidance |
| NIST CSF 2.0 | Governance and risk oversight | Board-level security governance (new "Govern" function) |
| Cyber Insurance Requirements | Real-world control benchmarks | Understanding what "adequate" looks like in practice |
| CIS Controls | Prioritized technical safeguards | Implementation roadmap for IT teams |
Cyber insurance requirements have become the de facto standard for "minimum viable security." What insurers require is what the market has determined represents a defensible baseline.
What Funders Look For
Funders increasingly evaluate "operational resilience" alongside program outcomes. The most credible signals are not buzzwords—they're evidence of implemented controls.
Evidence That Matters
-
MFA Coverage Metrics
Percentage of accounts and systems protected by multi-factor authentication. 100% of privileged accounts is the minimum expectation.
-
Backup/Restore Test Results
Documented RTO/RPO targets with evidence of successful restore testing. "We have backups" is not evidence; "we restored successfully on [date]" is.
-
Patch Compliance Reporting
Current patch levels across systems with defined SLAs for critical, high, medium, and low severity updates.
-
Training Completion & Simulation Trends
Staff training completion rates and phishing simulation results over time. Improvement trends matter more than perfection.
-
IR Plan + Tabletop Summary
A dated incident response plan and summary from recent tabletop exercises. Demonstrates both documentation and practical readiness.
Implementation Support
Many charities can't staff this internally. The goal should be measurable controls plus evidence—not a perfect enterprise program. External support can accelerate implementation while ensuring sustainable practices.
What Light-Touch Partnership Looks Like
A pragmatic partner can help charities establish a risk baseline mapped to CCCS and NIST, implement and verify identity/email/endpoint controls, harden privileged access (including just-in-time patterns), build incident readiness and insurer-grade documentation, and set practical AI guardrails so productivity gains don't create new exposures.
The key distinction: Implementation support should build internal capability, not create dependency. The goal is a charity that can evidence its controls independently—not one that requires ongoing external management.
Prioritization for Limited Budgets
For organizations with constrained resources, the highest-impact investments are: MFA deployment (often free or low-cost), email security configuration (technical but one-time), backup verification (process, not product), and incident response planning (documentation, not technology).
Bottom Line
Cybersecurity maturity in the charitable sector is now directly tied to mission continuity and trust.
The good news is that the majority of risk reduction comes from a well-understood set of controls. Organizations that adopt an insurance-aligned baseline, govern it at the board level, and document evidence will be best positioned to:
-
Protect Donors and Beneficiaries
Safeguard the sensitive information entrusted to your organization by those you serve and those who support your mission.
-
Maintain Service Delivery
Ensure operational continuity so that mission-critical programs continue uninterrupted, even in the face of attempted attacks.
-
Satisfy Funder and Partner Expectations
Demonstrate the operational resilience that funders increasingly require, with evidence rather than assurances.
The question is no longer whether charities need cybersecurity programs—it's whether they can evidence the controls they claim to have.
Ready to Assess Your Security Posture?
Telos One provides security assessments designed specifically for Canadian charities—practical, evidence-based, and aligned with funder expectations.