A plain-language checklist for band administrators and Indigenous organization leaders — what to actually do, in what order, to meaningfully reduce cyber risk on a realistic budget.
Band offices hold a lot of sensitive information — member registries, health and social services data, financial records, funding agreements, and confidential council discussions. Many also operate critical community services where downtime hurts real people. And funders increasingly require documented cybersecurity practices as a condition of grants.
The good news: a few high-impact controls cover most of the realistic risk. You don't need an enterprise security program. You need a focused, ordered set of practical actions.
1. Turn on multi-factor authentication (MFA) everywhere. Email, Microsoft 365 or Google Workspace, banking, accounting software, any cloud system. This single step blocks the vast majority of account compromises. Free to enable. Do it this week.
2. Set up a real backup of your Microsoft 365 or Google Workspace data. Email, files, SharePoint or Drive — backed up by a third party with at least 30 days of retention. Typical cost is $3-$5 per user per month. Protects against deletion, ransomware, and former-employee data wipes.
3. Set up email filtering and phishing protection. Microsoft 365 Business Premium and Google Workspace both include strong filtering — make sure it's turned on with the right settings. Add a separate phishing-resistant email security tool if you handle especially sensitive data.
4. Train your staff on phishing. A 30-minute training plus periodic simulated phishing emails will dramatically reduce the chance someone clicks the wrong link. Free or low-cost — and the highest leverage action you can take to reduce risk.
5. Update all computers and devices regularly. Windows, macOS, iOS, and Android security patches should install automatically. Old, unpatched devices are how most ransomware gets in. Check that auto-update is on for every device the office uses.
6. Write down who has access to what — and remove what's no longer needed. Most band offices have former employees with active email accounts and active access to systems. Get a list of every account in every system, mark which are current, and remove the rest.
7. Use a password manager. 1Password or Bitwarden, business plan, for the whole office. Stops people from reusing passwords or storing them in browser tabs and sticky notes. ~$5-$10 per user per month.
8. Encrypt the laptops and phones. BitLocker on Windows, FileVault on Mac, and screen lock with PIN/biometric on mobile. If a device is lost or stolen, encryption means the data on it stays protected.
9. Document your incident response. One page: who to call if something goes wrong, what systems are critical, who has authority to disconnect things from the network. Include this in your funder reporting — funders want to see this kind of preparedness.
10. Get a cybersecurity audit once a year. An outside review of your setup with a written report. Cost is usually $1,500-$3,000. This is the document funders increasingly ask for, and the report often surfaces a few cheap fixes that meaningfully improve security.
Shared accounts. Multiple people using one "reception@" or "admin@" login. This makes incidents impossible to trace and means revoking one person's access without disrupting everyone is impossible. Switch to individual accounts.
Old laptops, no patching. Computers running Windows versions that no longer receive security updates. Either replace them or upgrade to a supported version — there's no acceptable third option for a computer handling member data.
No backup outside Microsoft. Microsoft 365 is reliable but it's not a backup. We've seen band offices lose months of files when a single account was compromised and emptied. A third-party backup of M365 is a $3-$5 per user per month must-have.
Sensitive files in shared inboxes. Photocopies of member ID, financial records, health information — sitting in Outlook inboxes searchable by anyone with access. Move sensitive files to a properly permissioned SharePoint folder.
Federal and provincial funders, ISC, and many private funders increasingly want documented IT security practices as a condition of funding. The good news is that the basics on this checklist are usually enough for most funder questionnaires — MFA, backups, training, written incident response, and an annual audit.
If a funder is asking for something more specific (ITSG-33 controls, ISO 27001 alignment, third-party certifications), that's a bigger project. Most band offices we work with don't have those requirements, but if yours does, we can scope an engagement to meet them.
For a typical band office of 10-25 staff, full implementation of this checklist runs roughly $300-$600 per month in ongoing tool subscriptions, plus a one-time setup project in the $3,000-$8,000 range depending on your starting point, plus an annual audit at $1,500-$3,000. Funders will often cover this kind of foundational IT work — it's not "tech for tech's sake," it's compliance and risk reduction.
For a band-owned business or larger administration office handling more sensitive data, costs scale up — but the order of the checklist stays the same.
We work with First Nations organizations across the region. Tell us where you are on the list and we'll help you move down it — at a pace and price that fits.