Canadian nonprofits are targeted by cybercriminals at a higher rate than most people realize. Charities hold valuable data — donor payment information, beneficiary personal records, grant disbursement banking details — and they're often perceived as having weaker security than corporate targets. That perception is frequently accurate. This checklist covers the cybersecurity fundamentals every Canadian nonprofit should have in place in 2026.
Multi-Factor Authentication on all accounts — MFA is the single most effective control against account takeover. Enable it for every Microsoft 365, email, banking, and donor management account. There are no legitimate exceptions. Volunteers included. Unique credentials for every person — No shared passwords. Every staff member and volunteer must have their own individual login. When someone leaves, their access is removed. Offboarding procedure — Document exactly what happens when a staff member or volunteer leaves. Orphaned accounts are one of the most common ways nonprofit systems get compromised. Encrypted backups — Your donor database and financial records must be backed up regularly and those backups must be encrypted. Test your restore process at least once per year. Email security configuration — Configure DMARC, DKIM, and SPF on your email domain to prevent criminals from spoofing your organization's email address.
Endpoint protection on all devices — Every device used to access organizational data should have endpoint protection software. Microsoft Defender (included with Microsoft 365 Business Premium) is sufficient for most nonprofits when properly configured. Security awareness training — Your staff and volunteers are the primary target of phishing attacks. Ongoing training with phishing simulations — delivered through a platform like SecureAware (secureaware.app) — is the standard that cyber insurers increasingly require. Documented privacy policy — A written, current privacy policy is a PIPEDA requirement. Incident response plan — Know in advance what you will do if you experience a breach. Cyber insurance review — Review what your policy actually covers and what requirements must be met.
Network segmentation — Segment staff networks from public device networks so compromised public devices can't access your internal systems. Vendor security review — Third-party vendors with access to your systems and data are a significant risk. Cloud data residency — Confirm where your data is stored and whether Canadian data residency requirements are met. Microsoft 365 offers Canadian data residency for eligible organizations. Dark web monitoring — Compromised credentials from your domain regularly appear on the dark web following third-party breaches.
Start with the first three items: MFA, unique credentials, and a documented offboarding procedure. These three controls address the most common ways Canadian nonprofits get compromised. Nonprofit IT Solutions provides cybersecurity assessments for Canadian charities that identify your specific gaps and give you a prioritized remediation plan. We offer up to 25% discounted pricing for registered Canadian charities. Contact us at (416) 623-9677 or request a free cybersecurity assessment at nonprofititsolutions.com.
Contact us at (416) 623-9677 or visit nonprofititsolutions.com for a free nonprofit IT assessment.