Polytechnique Montréal leads pilot project to help nonprofits strengthen their digital networks

Faced with the threat of cyberattacks and limited budgets, Quebec nonprofits are benefiting from free cybersecurity consultations thanks to a pilot project led by Polytechnique Montréal.

Many non-profit organizations often fall below the “cybersecurity poverty line,” explains Marc Gervais, executive director of IMC2, a cybersecurity institute that brings together more than 50 professors and their research teams, in collaboration with Polytechnique and other Quebec universities.

“They generally can’t even afford basic training or audits,” he says.

In response, the institute has decided to train students to identify digital security vulnerabilities by having them conduct free audits, supervised by their professors, at these organizations.

In Quebec alone, there are tens of thousands of NPOs, many of which face the same security issues as large organizations: phishing, data breaches, ransomware attacks, hacking, AI-related fraud, and malware (software designed to harm a computer or network).

What they lack are the financial resources and technical expertise needed to counter these threats. In 2023, pro-Russian hackers took down several websites linked to the Quebec government.

The province’s electricity company, Hydro-Québec, was also the victim of a cyberattack that same year: hackers crippled its website and mobile app. However, critical systems were not affected.

Nonprofits may face similar threats, Gervais explained, but they lack the internal expertise to deal with them. This makes the pilot project, called the Cybercitizen Assistance Network, all the more important.

This pilot project is funded by a $1.3 million grant from Google in January 2024. The first beneficiary was the Institut du Nouveau Monde, a Montreal-based organization whose mission is to increase citizen participation in democratic life, said Louis-Philippe Lizotte, its director of operations.

“Our mission is to promote citizen participation and defend democracy,” said Lizotte. “Ensuring cybersecurity is not a reflex.”

A former employee informed them about the pilot project and, according to Lizotte, they immediately signed on. “We see so many cybersecurity issues in the media,” said the director. “Large companies are exposed, so obviously we are too.”

Assessment and solutions

Gervais explains that when auditing non-profit organizations, the institute often identifies areas for improvement in what it calls cybersecurity best practices, “details that can make all the difference.”

NPOs often lack technical staff dedicated to conducting regular cybersecurity audits, which prevents them from developing written procedures on how to respond to cyberattacks or track incidents.

At the Institut du Nouveau Monde (INM), Lizotte provides de facto technical assistance. He said he was relieved by the audit results, which recommended a few additional tools and better training for staff.

“Now we know where we stand in terms of cybersecurity, and I’m pretty satisfied because we’re not doing too badly. We’re not far from best practices,” he said. In addition to better equipping NPO staff to deal with threats, the pilot project also helps them comply with a 2021 law that significantly overhauled Quebec’s Personal Information Protection Act. This law imposes rules on all organizations, including non-profit organizations, that process the personal information of Quebecers.

It requires organizations to obtain explicit consent before collecting or disclosing data and to keep a record of privacy incidents, such as unauthorized access to personal information. Violations must be reported to the Quebec Access to Information Commission upon request. Failure to comply with these rules can result in heavy fines.

The INM audit was conducted online, a method that could help NPOs across the province, said Fyscillia Ream, project manager at the cybersecurity institute. However, the goal is to focus on the Montreal and Gatineau regions.

After the audit, the cybersecurity institute produces a report and offers follow-up support, including customized training sessions, with the ultimate goal of helping NPOs become “cybersecurity self-sufficient,” she said. “But we really adapt to the needs of organizations, whether they simply want an audit or to raise awareness among their employees or users.”

Gervais said that although the current program is designed for Quebec, Canada-wide support is needed in the community sector.

“I think we will have to collaborate with other institutions, because this is a truly Canadian need,” he added.

–This report by La Presse Canadienne was translated by CityNews