Helping Quebec non-profits below ‘cybersecurity poverty line’ strengthen networks

By Canadian Press on October 30, 2025.

MONTREAL — Facing the threat of cyberattacks and with limited budgets, non-profit organizations across Quebec are being offered free cybersecurity consulting sessions through a pilot project led by Polytechnique Montréal engineering school.

Many non-profits are often below the “cybersecurity poverty line,” says Marc Gervais, executive director of IMC2, a cybersecurity institute involving Polytechnique and other Quebec universities that groups more than 50 professors and their research teams.

“They typically cannot even afford training or basic audits,” he said.

In response, the institute decided to train students on how to identify weaknesses in digital security infrastructure by having them conduct free audits, supervised by their professors, on non-profits.

In Quebec alone, there are tens of thousands of non-profits, many of which struggle with the same security issues as larger organizations: phishing, data breaches, ransomware attacks, piracy, artificial intelligence-linked fraud, and malware — software designed to harm a computer or network. What they lack are the finances and technical expertise to counter such threats.

In 2023, pro-Russian hackers took down some Quebec government-linked websites. The province’s electrical utility, Hydro-Québec, was also hit with a cyberattack in 2023, with hackers shutting down its website and cellphone app; however, critical systems weren’t affected.

Non-profits can face similar threats, Gervais said, but they don’t have the in-house expertise to deal with them. Which makes the pilot project, dubbed the “cybercitizen assistance network,” all the more important.

The pilot is being funded thanks to a $1.3-million grant from Google in January 2024. The first to benefit was Institut du Nouveau Monde, a Montreal-based group with a mission to increase citizen participation in democratic life, said Louis-Philippe Lizotte, its operations director.

“We are here to promote citizen participation, defend democracy,” Lizotte said. “Ensuring cybersecurity — it’s not a natural reflex.”

A former employee informed them of the pilot and Lizotte said they jumped at it. “I mean there’s so many issues that we see in the media,” Lizotte said of cybersecurity failings.

“I mean big corporations are at risk, so obviously we also are.”

Gervais says by auditing non-profits, the institute often identifies ways to strengthen what he calls basic cybersecurity hygiene, “little aspects that can really make a difference.”

Non-profits often lack dedicated technology staff to carry out regular cybersecurity audits, leaving no one available to put together written procedures on how to react in the event of a cyberattack, or to track incidents.

At the Nouveau Monde non-profit, Lizotte is the de facto technical support. He said he was relieved with the results of the audit, which recommended a few extra tools and better training for staff. “Now we know where we stand right now in terms of cybersecurity and I’m quite satisfied because we are not that bad. We are not that far away from having the best practices,” Lizotte said.

Aside from better equipping non-profit staff to deal with threats, the pilot project is also helping them conform to a 2021 law that overhauled Quebec’s privacy act. The law imposes rules on all organizations, including non-profits, that handle Quebecers’ personal information.

It requires organizations to obtain explicit consent before they can collect or disclose data, and to maintain a registry of confidentiality incidents, such as unauthorized access to personal information. Breaches are to be communicated to the province’s access to information commission upon request. Non-compliance can result in stiff fines.

The Nouveau Monde audit was done online, a method that would permit non-profits across the province to be assisted, said Fyscillia Ream, the project manager at the cybersecurity institute. But the plan is to focus on the Montreal and Gatineau areas.

After the audit, the institute produces a report and offers follow-up support including adapted training sessions with the ultimate goal of helping the non-profit become “autonomous regarding their cybersecurity,” Ream said.

“But we really adapt to the needs of organizations, whether they only want an audit, or if they just want to raise awareness among their employees or users,” Ream said.

Gervais said that while the current program is designed for Quebec, there is a need for a pan-Canadian assistance in the non-profit field.

“I think we’ll have to collaborate (with other institutions) because this is a truly Canadian need,” Gervais said.