Cyber protection: Have you received the data call?

The call usually goes something like this: You’re about to go out the door to lunch, and you get a call on your cell phone from a number you don’t recognize. “We’ve had a spear phish attack,” says the person on the line, who tells you that you’re on the emergency call list. “Somebody’s gotten access to the data warehouse. We’re not sure who and we’re not sure how much they’ve gotten.” At that point, you’re not going back to lunch. You’re going back to your desk. You’re asking yourself whether you’ve done everything you can to protect this data. And if you’re honest, data experts believe, you will likely say no. “Have you received the data call?” Paul Musser, vice president of international development for MasterCard, said before an audience of NGO leaders at the recent Humanitarian ICT Forum at Google in Mountain View, California. “I would like all NGOs to realize they have a moral and ethical responsibility to using data safely and securely even in areas where legislation may not be applicable.” --— Rakesh Bharania, West Coast lead for Cisco Tactical Operations The United States State Department assesses NGOs as one of the primary targets in humanitarian and development areas for a cyber attack, Musser said. He said he believes the sector has not yet fully woken up to the scale of the threat, despite an increase in cyberattacks involving ransomware, or malicious software that encrypts or locks a system until a payment is made. Musser is among a number of leaders urging NGOs to ask themselves whether they are doing all they can to protect the personal information they have on file. “I would argue that figuring out how to responsibly collect, manage and use data is a prerequisite for making the most of this resource for program insights and to the kinds of partnerships with technology companies that can help us with this process,” said Lily Frey, electronic cash transfer officer with Mercy Corps in Portland, Oregon. The Electronic Cash Transfer Learning Action Network, which is convened by Mercy Corps with support from the MasterCard Center for Inclusive Growth and PayPal, launched a Data Starter Kit, an online data protection and privacy resource for humanitarian field staff. Data management is an area where the NGO community can learn a lot from the private sector, Frey said. As NGO leaders consider next steps about data protection it is a useful guide for how to utilize, share, store and dispose of data in a secure way. And yet, NGO leaders make tradeoffs just like leaders in every sector, investing in other priorities before they invest in information technology, Musser said. Some 50 percent of nonprofit and NGOs said they had experienced a ransomware event in their organizations, according to a recent report by the Institute for Critical Infrastructure. But when asked if their organizations had formal cyber security units or staff members assigned to cyber-related security tasks, 49 percent said they did not. Only 11 percent said they plan to create these teams or positions in the next six to 12 months. “I would like all NGOs to realize they have a moral and ethical responsibility to using data safely and securely even in areas where legislation may not be applicable,” said Rakesh Bharania, who works for Cisco on its primary technology response team for disaster relief and humanitarian assistance. “If your mandate is to protect people in the physical space, that mandate extends to the electronic space as well." Bharania has partnered with groups including NetHope, which unites nonprofit leaders and technology innovators, to bring security to communication channels. Often, NGOs operate in countries where privacy protections don’t exist, but a turning point was during the summer of 2015. The Syrian crisis, and influx of refugee populations to a range of countries with different data regulations, pointed to the need for secure communication channels to protect both the NGOs and the people they were helping. "It's an unequal relationship,” Bharania said. “A refugee arriving at a refugee camp is focused on finding a safe place for their child to sleep. If there's an aid worker sitting there with a laptop, in that moment the refugee is not likely to say, ‘Hey are you encrypting this properly?’” Data management can include information security — or preventing unauthorized access — data protection — or the relationship between the collection and dissemination of data — public expectation of privacy and the legal and political issues surrounding them, and data privacy — or determining what data can be shared with third parties. But the definitions can differ depending on who is talking, experts told Devex, with the European definition of data protection equating to the American definition of data privacy. NGO leaders based or working in Europe are in the midst of determining what the General Data Protection Regulation, which will be implemented in 2018, will mean for their data management. “While we all want to adhere to open data standards, we need to do so in a way that protects the rights of the people we serve. We need to ensure people’s rights of consent, privacy, security and ownership of the information we collect. Additionally, we need to abide by the laws of the countries in which we work,” reads the description of one of many sessions at this week’s ICT4D forum in Hyderabad, India, focused on data privacy and security. “As the humanitarian space increases its use of data aggregation, analytics and distribution, the proper stewardship of data becomes critical.” Panelists from MasterCard, Catholic Relief Services, World Vision International and Oxfam talked about how actors in the humanitarian space can work together to protect the data they collect. In conversations with Devex, several experts pointed to the Catholic Relief Services as an example of an organization other NGOs can learn from in this context. For CRS, data protection translates to the ability to appropriately deploy people, process and technology to comply with local, donor and international ethical policies and norms in protecting the privacy of its donors, staff and beneficiaries, said Joel Urbanowicz, director of information security & ICT process governance at CRS. By contrast, information security refers to the processes and methodologies designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption. “At the NetHope level, work has been performed to identify a minimum set of information security standards that all members could conceivably comply with,” he said. “Our thoughts on this topic continue to evolve, but our current thinking is to engage a non-government body currently maintaining a relevant standard to gauge interest in developing a contextual layer to put on top of the standard they currently manage. More tactically, NetHope is looking for vendors interested in developing membership-wide awareness training, breach preparedness and response services. Doing so will allow members without dedicated information security staff to more easily onboard these capabilities in their organizations.” “Responsible data includes data security, but it’s more than just keeping data under lock and key.” --— Amy O’Donnell, ICT in program lead for Oxfam Oxfam calls managing data properly perhaps the greatest challenge of the information age and has launched a Responsible Data Management training pack for humanitarian organizations. “Data security is one thing where we have in-house experts who rigorously research any digital data capture, transmission and storage to ensure we have full awareness about the locations where data is stored, how it is encrypted and who can access it, so we can take mitigating action and demand high standards from tool providers,” Amy O’Donnell, ICT in program lead for Oxfam, told Devex via email. “Responsible data includes data security, but it’s more than just keeping data under lock and key.” Two years ago, Oxfam launched its responsible data policy, which sets out its commitments not just data security but also to data management processes, including how the organization gets consent, how people are represented in data, and ultimately to get feedback on how data is used. “It’s about treating the people whose data we manage with respect and dignity, and ensuring that we always act in their best interests,” she said. “It’s a constantly evolving process about deciding when and how to collect data and how to manage risks.” When used sensitively and appropriately, the information NGOs collect can help bring about tremendous positive change, she said. A rights-based approach has helped Oxfam translate these concepts in a way that resonates with staff and their work. The Responsible Data Management training pack is about turning Oxfam’s policy into practice across other organizations by helping people question and improve data practices in their own contexts. While the digitization of disaster assistance and humanitarian relief has led to a range of innovation teams, too few of them include risk reduction as part of their portfolio, Bharania said. “They get enamored with what’s the latest and greatest innovations and don't think of the potential downsides of what they're trying to introduce,” he said. “In my opinion, risk reduction activities should go hand in hand with innovation activities. You can't do one without the other.” Join the Devex community and access more in-depth analysis, breaking news and business advice — and a host of other services — on international development, humanitarian aid and global health.