Everyone faces cyber security risks. But NGOs have particular vulnerabilities. In this blog, Sneha Dawda and Nick Robinson from AnotherDay break down some of the key challenges and offer practical solutions.
Unique cyber risks for NGOs
In an increasingly volatile and digitised world, managing cyber risk has never been more important. Nowhere is this more apparent than in the NGO sector, where the risk calculus is often more severe in comparison to other organisations in the public and private sector.
A recent study by the CyberPeace Institute found that 41 per cent of Geneva-based NGOs had fallen victim to a cyberattack within the past three years. In addition, 70 per cent believe they currently lack an adequate level of resilience or expertise to recover from a disruptive incident.
For NGOs operating in high-risk countries, delivering essential humanitarian work brings specific cyber security challenges. A primarily remote workforce, often operating in areas where devices can be damaged or stolen, may be more vulnerable to attackers. Likewise, constrained IT budgets can make prioritising cyber security a challenging proposition.
In this article, we highlight the best practices and measures for NGOs to build cyber resilience, breaking them down into the common methodology of people, process, and technology.
People: improving cyber security outcomes among the workforce
In cyber risk management, people are the first line of defence. This is because successful cyberattacks often require human intervention or vulnerability to gain access to a network. In an NGO context, people management can be challenging. This is particularly the case when working in high-stress environments, or where a lack of resource, expertise and general cyber awareness among a disparate, global workforce can lead to a poor cyber security culture.
According to the aforementioned CyberPeace Institute study, 85 per cent of NGOs recognise the importance of raising cyber security awareness amongst employees and volunteers. However, in practice, only 52 per cent of them provide any form of cyber security awareness training to their personnel.
Cyber awareness training is vital to ensure the first line of defence (the people) is as strong as possible. NGOs should conduct cyber awareness training at least twice a year, with an emphasis on data management. If budgets are constrained, training can be delivered through low-cost means, such as webinars. If gamification of training is a priority, webinars can still incorporate gamified elements such as polls or quizzes. Other interactive tools to promote cyber awareness are also available free online. For instance, KnowBe4 offers free tools to run phishing security tests.
Another key issue is managing the risk from spyware. Humanitarian organisations are at high risk from authoritarian governments that do not view NGOs in a positive light. But the best defence against spyware, remains with the organisation’s people. Promoting good cyber hygiene among staff is key. This can include basic actions, such as using unique strong passwords. It can also include regularly backing up essential files on a secure cloud network, like Microsoft OneDrive.
Fundamentally, implementing a positive cyber security culture has a greater value to overall cyber resilience than many other initiatives. It encourages employees to take cyber security seriously, which is often a major cultural challenge. IT professionals must also play a part. They should not institute a ‘blame game’ when individuals make mistakes, such as on a phishing exercise. They must also maintain an open mind when speaking to staff that may have varying degrees of computer literacy.
Process: policy and governance under pressure
NGOs face unique challenges. Therefore, they need bespoke processes to manage risk. These processes should be based on the NGO’s enterprise and operations, as well as the geopolitical contexts in which they operate. They should also consider the organisation’s technology stack. This refers to the digital programs and services it relies on for day-to-day operations, such as Microsoft 365.
Cyber security processes are typically delivered policies that underpin an overarching governance framework. Only 11 per cent of NGOs surveyed by the CyberPeace Institute had a dedicated professional in a director/officer position responsible for cyber security. Likewise, just 4 per cent declared that they had any form of actionable cyber security policy. A recent UK government survey also found that only 30 per cent of UK-based charities/NGOs have board members explicitly responsible for cyber security. This is compared to 61 per cent in larger businesses. Having a process owner in charge of cyber security can drastically improve governance and drive the creation of policy. Reporting structures to the board can then be clear and if further investment is needed in cyber security controls and policies, the responsible officer can ensure it is considered.
Policy frameworks and strong governance are particularly important because NGOs often outsource their technology stack to IT vendors, software companies and others. The more vendors an NGO has, the more at risk they become to supply chain attacks. Thus, vendors must be managed carefully – not only from an access control point of view, but also considering their own approach to managing cyber risk.
A simple cyber security questionnaire issued to any potential vendor is a sensible and inexpensive precaution. One of the most flexible is available from Bitsight, and can be adapted to any organisation structure. The questionnaire could be issued upon any contract renewal and when signed should be considered a legal declaration of the vendor’s controls.
Another critical but inexpensive governance and policy process is incident response. Whilst nearly half of NGOs surveyed by the CyberPeace Institute have reported being impacted by a cyberattack, a worrying 78 per cent stated that they currently do not have an incident response plan to help detect, respond to, and recover from a cyber incident. Having an incident response plan that outlines actions to be taken in the event of a breach could reduce impact and maintain the safety of the workforce.
Cyber Management Alliance has a free incident response plan template that can be adapted. Likewise, the UK’s National Cyber Security Centre has a guide for small businesses on what to do in the event of a breach. It can be used to inform any plan that is being devised. Even though it is designed for businesses, it still holds useful transferable information for NGOs.
Another policy that would be particularly useful for NGOs is an access control policy. This outlines the process for creating and managing accounts for those who join or leave the organisation. It should make clear that the conditions around each account involve complex passwords and multi-factor authentication. It should also include periodic reviews of the directory of accounts, so dormant accounts can be suspended. This is critical for ensuring attackers have as small an opportunity to infiltrate the organisation as possible. The SANS Institute has some useful sample policies that can be adapted.
Technology: aligning security tooling with need
The final pillar that every NGO should consider is the technology that underpins their operations and cyber security. NGOs are embracing technology more than ever to streamline their operations and create efficiencies. They are using everything from cloud-based platforms to manage vast amounts of sensitive data, to AI-powered tools for analytics and improved service delivery. Such technological integration is transformative. But it can introduce risks to the organisation if implemented poorly.
Typically, most best practice advice would recommend purchasing services that toggle security add-ons as the best value for money. While this is true, some security add-ons require further investment in the tool, and this should be measured against both the need and ease of implementation.
Consider some of the core requirements to manage the technology stack: visibility across the network and devices as a baseline, defences such as firewalls, and a method of investigating security logs following an incident. In addition to this, access control and vulnerability management are vital functions of maintaining security of the network. All-in-one solutions, such as Microsoft 365, are effective and considered an industry staple. However, their security tools will be most effective on Windows devices. For Apple or Linux, implementation may be more difficult.
Shifting the needle on NGO cyber security
Managing cyber risk is essential for any NGO. It should form a central component of any risk management strategy.
NGOs face a multitude of challenges – from the macro geopolitical and economic, to the internal and cultural. We have highlighted several ways NGOs can look to improve their cyber security posture. These include prioritising or investing in people, process and technology.
Furthermore, making use of the GISF peer network across the NGO sector could ‘shift the needle’ for improving the cyber maturity of all NGOs, as it has done in other sectors. This can be achieved through information sharing, best practice setting, or even pooling resources.
Best Practice Recommendations Summary
People | Conduct cyber awareness training twice a year and introduce gamified elements to maximise engagement. |
People | Encourage a good cyber security culture to embed positive engagement among staff, and a forum in which they can ask questions without repercussions. |
Process | Assign a senior responsible officer for cyber security to introduce more accountability and structure to cyber risk management. |
Process | Introduce vendor management processes, such as a questionnaire for new or existing vendors, to ensure they have good cyber controls. |
Process | Introduce an incident response plan to outline steps to take in the event of a breach. This should include contact information for those who need to make decisions during a crisis. |
Process | Implement an access control policy that assists in managing accounts and minimises the risk of an attacker gaining access to dormant or privileged accounts. |
Technology | Invest in baseline security tools that also offer value for money. Make sure these investments align with your priorities and the services you already have in place. |
The views and opinions expressed in this article are solely those of the authors. They do not necessarily represent the views or position of the author’s employers.
About the authors
Sneha Dawda is a cyber risk consultant at AnotherDay, a defence and security consulting firm based in London. She has a Masters from the University of Sheffield in Global Security and was a Research Fellow in cyber security at the Royal United Security Institute. Sneha has appeared in media such as Times Radio and Channel 4 News, providing insights into major cyber security issues and events.
Nick Robinson is a digital and cyber security consultant at AnotherDay, a defence and security consulting firm based in London. Nick recently completed his doctorate in Geopolitics and Cyber Security as part of Royal Holloway’s Centre for Doctoral Training in Cyber Security. He has experience working with stakeholders across government, industry and academia both in the UK and Baltic states.
Related:
Humanitarian Security in an Age of Uncertainty: the intersection of digital and physical risks
GISF is launching a new research project on the topic of security in a digital world, aiming to explore the ways in which security risk management (SRM) in the aid sector is changing in response to the opportunities and risks stemming from the evolving digital world. As part of the…
Unknown Unknowns: introducing new technologies to NGO security platforms
GISF Executive Director, Jon Novakovic, recently joined a UN panel to discuss the use of technology for security risk management. His comments are published here to spark further conversation on the risks of our growing reliance on technology.
Rising to the Digital Security Challenge: how can NGOs prioritise cyber and information security?
The World Economic Forum, in a January 2022 paper, argued that the humanitarian sector needed to make cyber and information risks a funding priority. One shocking statistic indicated that in the month following the death of George Floyd in the US in 2020, cyber-attacks against non-profit and advocacy groups increased by 26 per cent. This particularly revealing statistic reflects the increasing risk to humanitarian and non-profit groups from digital attacks.