Load low-bandwidth site?
Help

Published: February 3, 2025

Mobile Device Security for NGOs: Managing the Overlap Between Physical and Cyber Security

By: David Claridge Morten Peachey

Share this:

Mobile devices are central to NGO operations today. David Claridge and Morten Peachey from coc00n Cyber Limited outline some of the key risks posed by relying on these devices. They also offer practical solutions you can take to strengthen your mobile device security.

Smartphones and tablets are indispensable for NGOs. They enable rapid, seamless communication and efficient coordination in complex and often volatile environments. But the volume and sensitivity of the information they contain means mobile devices also present significant security vulnerabilities. And this makes them targets for cyberattacks.

The overlap between cyber and physical security is a critical consideration. Illegitimate access to confidential information—including location data, plans and conversations, and personally identifying information—can pose direct threats to the safety of individuals. Faced with the risk posed by the information we all carry with us, what strategies can be adopted to strengthen mobile device security for NGO workers?

Threats to Mobile Devices

1. Social Engineering and Phishing

Phishing attacks remain one of the most pervasive and effective cyber threats. Vigilance is essential in identifying emails that appear to come from a legitimate recipient but in fact are from someone with malicious intent. Many larger cybersecurity attacks start with a successful phishing attack to acquire system access.

For example, in 2021, the Russian-linked group Nobelium hacked USAID’s email marketing system. It then sent phishing emails to over 3,000 development-focused contacts at contractors, NGOs, and think tanks. The phishing attack mimicked authentic communications, luring recipients into exposing sensitive information. Such incidents highlight the importance of training staff to recognise and report phishing attempts.

2. Network Interception

Public Wi-Fi networks remain a significant source of cyber risks, particularly through machine-in-the-middle (MITM) and “evil twin” attacks. In such scenarios, attackers set up malicious Wi-Fi hotspots mimicking legitimate ones, tricking users into connecting to these networks. This allows attackers to intercept sensitive information such as login credentials and confidential communications.

NGOs should always assume that insecure networks could be monitored or exploited. Domestic mobile communications should be assumed to be compromised, particularly in high information threat environments like Ukraine, Israel, or Palestinian Territories. But even in the US, communications infrastructure may not be safe. This is demonstrated by a recent attack by the Chinese hacker group “Salt Typhoon”.

Pegasus, a form of spyware, has been widely used by governments to compromise activists’ and journalists’ devices. These attacks exploit vulnerabilities in applications like WhatsApp to install monitoring software on Android and iOS devices. This allows adversaries to monitor communications, track locations, and activate microphones or cameras. US government experts estimate that more than 100 nations have acquired and are actively using similar technology.

3. Exploitation of Advertising ID (Ad-ID) Data

Advertising IDs (Ad-IDs) are unique identifiers assigned to individual devices. They help app developers and advertisers to collect anonymised data to deliver targeted marketing without exposing personal information directly. However, this legitimate purpose has also created vulnerabilities, as these identifiers can be exploited for malicious purposes.

For instance, data brokers have sold location information derived from Ad-IDs to various clients, including government agencies. A report on the tracking service Locate X, which is sold to government customers, showed how Ad-IDs were used to follow individuals across various locations, exposing movement patterns. Wired reported on the sale of Ad-ID data that revealed sensitive movement patterns of US military and intelligence personnel.

This growing threat to NGOs was highlighted by a study from the International Committee of the Red Cross. The 2018 report argued that metadata can be misused to reveal operational details of aid groups. This places individuals and missions at risk. Similarly, Ad-ID data can enable adversaries to predict the locations and routines of NGO staff, making them vulnerable to targeted attacks or kidnappings.

4. Brute Force Methods

Adversaries may also employ brute force methods to gain access to mobile devices. This can include physically compelling users to unlock their devices or using advanced forensic tools to bypass authentication measures on seized devices.

For instance, forensic tools such as Cellebrite’s UFED and Magnet Forensic’s GrayKey are widely used by Western law enforcement and state actors to bypass security on both iOS and Android devices. These tools can extract data from locked devices, including messages, call logs, and even deleted files. While developed for legitimate purposes, similar technologies have also been misused in high-risk environments, including Russia, Serbia, Myanmar and Nigeria, to target activists, journalists, and NGO workers.

Brute force methods pose a significant risk, particularly where NGOs operate under authoritarian regimes or in conflict zones. Physical seizures of devices during border crossings, raids, or arbitrary detentions can compromise not only personal data but also sensitive operational details, putting entire missions at risk.

Strengthening Mobile Device Security

To mitigate these verified threats, NGOs should adopt a multi-layered security approach tailored to high-risk environments.

1. Secure Device Configuration

  • Regularly update all devices to patch vulnerabilities.
  • Enforce strong, unique passwords and multi-factor authentication.
  • Use device security features like biometric authentication to add an extra layer of protection.
  • Disable unnecessary features such as Bluetooth and automatic Wi-Fi connections.
  • Use device lockdown settings, such as “USB Restricted Mode” on iOS, to limit physical data extraction capabilities.

2. Encryption and Communication Tools

  • Use end-to-end encrypted messaging platforms like Signal.
  • Always use a virtual private network (VPN).
  • Avoid connecting to public Wi-Fi networks without a VPN.

3. Awareness and Training

  • Train staff to recognise phishing attempts and other social engineering tactics.
  • Encourage prompt reporting of suspicious activities or communications.
  • Conduct periodic drills to test organisational resilience to cyber threats.

4. Mobile Device Management (MDM)

  • NGOs should implement MDM solutions to enforce consistent security policies and centralised management of the mobile devices used by staff.
  • Enable geofencing, which will automatically send an alert or lock a device if it travels out of a defined geographic area.
  • Enable remote wipe capabilities to safeguard data if a device is seized, stolen or lost.
  • Regularly audit devices and apps for unauthorised changes or access.
  • Educate staff about the risks of physical device seizures and ensure they know how to enable remote wiping if needed.

5. Reducing Exposure to Ad-ID Data

  • Turn off advertising tracking on mobile devices.
  • Use privacy-focused browsers and search engines.
  • Advocate for app developers to minimise reliance on Ad-ID in sensitive regions.

6. Mitigating Brute Force Attacks

Brute force attacks pose significant risks to NGO personnel, particularly during transit or in conflict zones. To reduce the likelihood of unauthorised access:

  • Keep devices turned off when transiting airports or high-risk areas to prevent forced unlocking.
  • Use USB data blockers when connecting to public charging points to prevent data extraction via USB ports.
  • If an official tries to take your phone, quickly enable device lockdown features, such as “Lockdown Mode” on Android (press power button and select Lockdown) or “SOS Mode” on iOS (press power button 5 times), which disable biometric authentication and prevent forced unlocking.
  • Regularly delete any sensitive information that is not essential to ongoing operations.

These measures, combined with broader digital hygiene practices, can help NGOs safeguard sensitive data and mitigate physical security threats.

Looking Ahead: Emerging Threats

Artificial intelligence (AI)-driven phishing campaigns have become increasingly sophisticated, enabling adversaries to craft convincing phishing attempts or automate surveillance efforts. To counter such tactics, NGOs should invest in AI-driven defensive tools  such as coc00n, that can identify and block threats in real-time.

Advances in communication encryption are becoming critical as governments in some regions increase efforts to intercept digital communications at network level. Tools like end-to-end encryption and decentralised communication apps, which communicate device to device without passing through a central server, are essential for safeguarding sensitive discussions from unauthorised access. Signal is the most popular example of these and is very secure for most cases, although it is not truly decentralised; purists argue in favour of a number of less well known but genuinely decentralised solutions.

The rise of state-sponsored surveillance software, akin to Pegasus, underscores the importance of vigilance. NGOs and activists should adopt zero-trust frameworks and regularly audit devices for signs of compromise. These measures are vital to protecting personnel and operations in increasingly hostile digital landscapes.

As adversaries adopt modern technologies, NGOs must anticipate evolving threats. By staying informed and adopting proactive measures, NGOs can better protect their missions against persistent cyber threats.

The views and opinions expressed in this article are solely those of the authors. They do not necessarily represent the views or position of GISF or the author’s employers. 

About the authors

David Claridge is the Director of Consultancy Services at coc00n Cyber Limited, working to build robust, resilient and holistic cybersecurity solutions. He has over two decades of experience in senior roles in the security risk management sector.

Morten Peachey is the Chief Information Security Officer at coc00n Cyber Limited. With over ten years of specialised experience in information security and cyber intelligence, his goal at coc00n is to lead in developing cutting-edge security architectures that can withstand the most sophisticated threats.

Image credit: Gabriel Freytez/Pexels

Related:

Humanitarian Security in an Age of Uncertainty: the intersection of digital and physical risks

GISF’s research project on security in a digital world explores the ways in which security risk management (SRM) in the aid sector is changing in response to the opportunities and risks stemming from the evolving digital world.   This article ‘sets the scene’. It looks at the (a) external threats…

NGO cyber security: how should you navigate an increasingly volatile and digitised world?

Everyone faces cyber security risks. But NGOs have particular vulnerabilities. In this blog, Sneha Dawda and Nick Robinson from AnotherDay break down some of the key challenges and offer practical solutions.

Global 2024

Unknown Unknowns: introducing new technologies to NGO security platforms

GISF Executive Director, Jon Novakovic, recently joined a UN panel to discuss the use of technology for security risk management. His comments are published here to spark further conversation on the risks of our growing reliance on technology.

Global, Europe 2024