NGOs urgently need to take on cybersecurity

LONDON — “Horrific” cybersecurity practices among NGOs are jeopardizing vulnerable populations, according to experts in the field. “Every single NGO I know has had a breach — they just didn’t know about it.” --— Siobhan Green, CEO, Sonjara Even as other sectors have made great strides in improving cybersecurity in recent years, the development community, with some exceptions, is said to be lagging on the basics because of its focus on impact as well as the broad costs and complexities of securing information technology systems. Experts highlighted the need for NGOs to have a dedicated and properly resourced cybersecurity policy that is taken seriously by staff — and called for donors to support this. “Every single NGO I know has had a breach — they just didn’t know about it,” said Siobhan Green, CEO of Sonjara, a company specializing in providing technical advice to the development sector. As data collection is now such a crucial part of NGO programming, experts said protecting it must be embraced by the entire workforce. “The same way program staff have to know about budgets and grants, even though they don’t work in finance, that same kind of proficiency is needed when it comes to data protection in this field,” said Kristy Crabtree, information management and technology adviser in the International Rescue Committee’s Violence Prevention and Response Unit. ‘IT makes it really easy to find people to harm’ Protecting the data of high-risk and marginalized populations — such as people who are HIV-positive and survivors of gender-based violence, or GBV — is a particular concern. Poor cybersecurity causes “huge protection issues,” Green said. “IT makes it really easy to find people to harm.” For example, key population data of HIV-positive people, such as sex workers or men who have sex with men, can record detailed personal information. Hot-spot maps designed for outreach work show where vulnerable populations congregate. “Across all donors and multiple countries … we see a lot of data being collected,” Green said. “Highly sensitive, personal, identifiable information, such as information on GBV victims — first name, last name, phone numbers, addresses, accusations of perpetrators — that type of information is being ... stored in insecure systems, shared by email, without any kinds of password protection. People are taking photographs of files and emailing them around.” Local politicians in at least three African countries have demanded access to NGO databases to find and arrest clients. And information can be leaked accidentally, through poor practices such as by sending an email containing unprotected data to the wrong address. All of this could result in fewer people getting tested for illnesses or participating in programs where they have to share their information, according to Green. “When you are talking about highly marginalized populations ... we are talking about life or death. We are asking for a lot of trust from the people whose data we are collecting, and I don’t think it's really warranted in a lot of cases right now,” she said. Why is cybersecurity so tricky? While NGOs want to serve their clients safely, Gus Hosein, executive director of Privacy International, said there was an overall lack of understanding about what constitutes good cybersecurity. “It's hard to do well even for the best of the best of the best,” Hosein said. “In low-grade attacks, all they [the attackers] have to do is recognize that every website and network has its vulnerabilities, and getting access to that isn’t overly difficult unless a lot of investment has gone in.” Even the few organizations that have made the effort to improve cybersecurity can see it made ineffectual when sharing data with others, such as a partner NGO or local government ministry. “Cybersecurity is a system and the weakest part of the system ... impacts the entire process,” Green said. The rush for NGOs to employ technological innovations has further complicated matters. “Every CEO of every big NGO has jumped on the next big tech [such as blockchain]. And that’s just outrageous … when they are still running old software they haven’t updated, and as a result the data is being leaked everywhere,” Hosein said. Technological tools are also pushed by many donors, often leading to inadequate plans for the data collected, Green added. “NGOs don’t invest in tech because they’re not paid to,” Hosein said. “Funders generally want them to do more and faster, and nobody is going to fund an NGO that says, ‘I’m sorry, we can’t use the latest toy because we haven’t done a security review on it.’ Nobody wants to pay for a tech staff when they could pay for another advocacy officer or comms officer or lawyer.” As a result, NGOs tend to use third-party operators, which leaves them “no control” over the data. “All it would take is a single funder or U.N. agency ... [to] ask their grantees to spend as much time on security [as on data collection]. Then we might see some change,” Hosein said. Green agreed that donors should both require and fund data protection and management as part of grants and contracts, which she said currently happens “very rarely.” And donors should work with the governments of low-income countries on addressing what their expectations are for data protection. What should be done? Some steps, such as securing devices with passwords and using password managers for different websites, can be done immediately. Simply writing down IT principles for staff and coordinating technical practices across organizations is also key, Hosein said. Backing up data and managing infrastructure, such as ensuring Wi-Fi networks are properly secured, should also be made a priority. “It’s those basic areas, then you can start worrying about malware and state-sponsored attacks,” he added. Using role-based access for systems is a “significant need and really lacking,” Crabtree said. “A caseworker should only need to see their own cases, not anyone else's. A technical lead in a country for a program should be able to see aggregate information but not individual [details] … because they don’t need that information to do their job,” she said. She admitted this type of software can be expensive but suggested NGOs collaborate and co-invest to produce stronger systems. Alongside a number of agencies, IRC is using a platform called Primero for social work case management. Different levels of NGO staff also have varying responsibilities. Green recommended that workers in the field have a very clear data management plan that clearly identifies which data is being collected, for what reason, and the risks and mitigation strategies. Simple steps include using codes instead of full names, clarifying what data is actually necessary to avoid collecting too much, and using shared drives in the cloud — which allows for improved access control — rather than email. Meanwhile, senior managers should ensure that staff members are thinking about cybersecurity before data collection begins and that protection measures are properly financed and resourced. Points to consider include standard operating procedures for breaches, whether more secure software could be used for a particular task, and ensuring cybersecurity standards are implemented in the field and with external partners. One issue is that NGO professionals tend to be more interested in people than technical procedures, Crabtree said. Her team decided to work with this and organized their data protection work around an ethical base, with an overriding principle of “do no harm.” “We found that to be much more useful for our staff to actually engage with, so they are not just ignoring things IT sends out,” she said. Promoting a harm-reduction mindset when utilizing digital platforms and thinking about how data protection might encourage or discourage people from seeking help are key approaches that Crabtree uses to engage staff. And one other consideration may especially resonate with the head office: “When anything we do with data is unethical, it threatens our staff and organizational reputation,” she said.