• News
    • Latest news
    • News search
    • Health
    • Finance
    • Food
    • Career news
    • Content series
    • Try Devex Pro
  • Jobs
    • Job search
    • Post a job
    • Employer search
    • CV Writing
    • Upcoming career events
    • Try Career Account
  • Funding
    • Funding search
    • Funding news
  • Talent
    • Candidate search
    • Devex Talent Solutions
  • Events
    • Upcoming and past events
    • Partner on an event
  • Post a job
  • About
      • About us
      • Membership
      • Newsletters
      • Advertising partnerships
      • Devex Talent Solutions
      • Contact us
Join DevexSign in
Join DevexSign in

News

  • Latest news
  • News search
  • Health
  • Finance
  • Food
  • Career news
  • Content series
  • Try Devex Pro

Jobs

  • Job search
  • Post a job
  • Employer search
  • CV Writing
  • Upcoming career events
  • Try Career Account

Funding

  • Funding search
  • Funding news

Talent

  • Candidate search
  • Devex Talent Solutions

Events

  • Upcoming and past events
  • Partner on an event
Post a job

About

  • About us
  • Membership
  • Newsletters
  • Advertising partnerships
  • Devex Talent Solutions
  • Contact us
  • My Devex
  • Update my profile % complete
  • Account & privacy settings
  • My saved jobs
  • Manage newsletters
  • Support
  • Sign out
Latest newsNews searchHealthFinanceFoodCareer newsContent seriesTry Devex Pro
    • News
    • Technology

    NGOs urgently need to take on cybersecurity

    “Every single NGO I know has had a breach — they just didn’t know about it,” one expert in the field says.

    By William Worley // 12 March 2020
    LONDON — “Horrific” cybersecurity practices among NGOs are jeopardizing vulnerable populations, according to experts in the field. “Every single NGO I know has had a breach — they just didn’t know about it.” --— Siobhan Green, CEO, Sonjara Even as other sectors have made great strides in improving cybersecurity in recent years, the development community, with some exceptions, is said to be lagging on the basics because of its focus on impact as well as the broad costs and complexities of securing information technology systems. Experts highlighted the need for NGOs to have a dedicated and properly resourced cybersecurity policy that is taken seriously by staff — and called for donors to support this. “Every single NGO I know has had a breach — they just didn’t know about it,” said Siobhan Green, CEO of Sonjara, a company specializing in providing technical advice to the development sector. As data collection is now such a crucial part of NGO programming, experts said protecting it must be embraced by the entire workforce. “The same way program staff have to know about budgets and grants, even though they don’t work in finance, that same kind of proficiency is needed when it comes to data protection in this field,” said Kristy Crabtree, information management and technology adviser in the International Rescue Committee’s Violence Prevention and Response Unit. ‘IT makes it really easy to find people to harm’ Protecting the data of high-risk and marginalized populations — such as people who are HIV-positive and survivors of gender-based violence, or GBV — is a particular concern. Poor cybersecurity causes “huge protection issues,” Green said. “IT makes it really easy to find people to harm.” For example, key population data of HIV-positive people, such as sex workers or men who have sex with men, can record detailed personal information. Hot-spot maps designed for outreach work show where vulnerable populations congregate. “Across all donors and multiple countries … we see a lot of data being collected,” Green said. “Highly sensitive, personal, identifiable information, such as information on GBV victims — first name, last name, phone numbers, addresses, accusations of perpetrators — that type of information is being ... stored in insecure systems, shared by email, without any kinds of password protection. People are taking photographs of files and emailing them around.” Local politicians in at least three African countries have demanded access to NGO databases to find and arrest clients. And information can be leaked accidentally, through poor practices such as by sending an email containing unprotected data to the wrong address. All of this could result in fewer people getting tested for illnesses or participating in programs where they have to share their information, according to Green. “When you are talking about highly marginalized populations ... we are talking about life or death. We are asking for a lot of trust from the people whose data we are collecting, and I don’t think it's really warranted in a lot of cases right now,” she said. Why is cybersecurity so tricky? While NGOs want to serve their clients safely, Gus Hosein, executive director of Privacy International, said there was an overall lack of understanding about what constitutes good cybersecurity. “It's hard to do well even for the best of the best of the best,” Hosein said. “In low-grade attacks, all they [the attackers] have to do is recognize that every website and network has its vulnerabilities, and getting access to that isn’t overly difficult unless a lot of investment has gone in.” Even the few organizations that have made the effort to improve cybersecurity can see it made ineffectual when sharing data with others, such as a partner NGO or local government ministry. “Cybersecurity is a system and the weakest part of the system ... impacts the entire process,” Green said. The rush for NGOs to employ technological innovations has further complicated matters. “Every CEO of every big NGO has jumped on the next big tech [such as blockchain]. And that’s just outrageous … when they are still running old software they haven’t updated, and as a result the data is being leaked everywhere,” Hosein said. Technological tools are also pushed by many donors, often leading to inadequate plans for the data collected, Green added. “NGOs don’t invest in tech because they’re not paid to,” Hosein said. “Funders generally want them to do more and faster, and nobody is going to fund an NGO that says, ‘I’m sorry, we can’t use the latest toy because we haven’t done a security review on it.’ Nobody wants to pay for a tech staff when they could pay for another advocacy officer or comms officer or lawyer.” As a result, NGOs tend to use third-party operators, which leaves them “no control” over the data. “All it would take is a single funder or U.N. agency ... [to] ask their grantees to spend as much time on security [as on data collection]. Then we might see some change,” Hosein said. Green agreed that donors should both require and fund data protection and management as part of grants and contracts, which she said currently happens “very rarely.” And donors should work with the governments of low-income countries on addressing what their expectations are for data protection. What should be done? Some steps, such as securing devices with passwords and using password managers for different websites, can be done immediately. Simply writing down IT principles for staff and coordinating technical practices across organizations is also key, Hosein said. Backing up data and managing infrastructure, such as ensuring Wi-Fi networks are properly secured, should also be made a priority. “It’s those basic areas, then you can start worrying about malware and state-sponsored attacks,” he added. Using role-based access for systems is a “significant need and really lacking,” Crabtree said. “A caseworker should only need to see their own cases, not anyone else's. A technical lead in a country for a program should be able to see aggregate information but not individual [details] … because they don’t need that information to do their job,” she said. She admitted this type of software can be expensive but suggested NGOs collaborate and co-invest to produce stronger systems. Alongside a number of agencies, IRC is using a platform called Primero for social work case management. Different levels of NGO staff also have varying responsibilities. Green recommended that workers in the field have a very clear data management plan that clearly identifies which data is being collected, for what reason, and the risks and mitigation strategies. Simple steps include using codes instead of full names, clarifying what data is actually necessary to avoid collecting too much, and using shared drives in the cloud — which allows for improved access control — rather than email. Meanwhile, senior managers should ensure that staff members are thinking about cybersecurity before data collection begins and that protection measures are properly financed and resourced. Points to consider include standard operating procedures for breaches, whether more secure software could be used for a particular task, and ensuring cybersecurity standards are implemented in the field and with external partners. One issue is that NGO professionals tend to be more interested in people than technical procedures, Crabtree said. Her team decided to work with this and organized their data protection work around an ethical base, with an overriding principle of “do no harm.” “We found that to be much more useful for our staff to actually engage with, so they are not just ignoring things IT sends out,” she said. Promoting a harm-reduction mindset when utilizing digital platforms and thinking about how data protection might encourage or discourage people from seeking help are key approaches that Crabtree uses to engage staff. And one other consideration may especially resonate with the head office: “When anything we do with data is unethical, it threatens our staff and organizational reputation,” she said.

    LONDON — “Horrific” cybersecurity practices among NGOs are jeopardizing vulnerable populations, according to experts in the field.

    Even as other sectors have made great strides in improving cybersecurity in recent years, the development community, with some exceptions, is said to be lagging on the basics because of its focus on impact as well as the broad costs and complexities of securing information technology systems.

    Experts highlighted the need for NGOs to have a dedicated and properly resourced cybersecurity policy that is taken seriously by staff — and called for donors to support this.

    This story is forDevex Promembers

    Unlock this story now with a 15-day free trial of Devex Pro.

    With a Devex Pro subscription you'll get access to deeper analysis and exclusive insights from our reporters and analysts.

    Start my free trialRequest a group subscription
    Already a user? Sign in
    • Innovation & ICT
    • Institutional Development
    • IRC
    Printing articles to share with others is a breach of our terms and conditions and copyright policy. Please use the sharing options on the left side of the article. Devex Pro members may share up to 10 articles per month using the Pro share tool ( ).
    Should your team be reading this?
    Contact us about a group subscription to Pro.

    About the author

    • William Worley

      William Worley@willrworley

      Will Worley is the Climate Correspondent for Devex, covering the intersection of development and climate change. He previously worked as UK Correspondent, reporting on the FCDO and British aid policy during a time of seismic reforms. Will’s extensive reporting on the UK aid cuts saw him shortlisted for ‘Specialist Journalist of the Year’ in 2021 by the British Journalism Awards. He can be reached at william.worley@devex.com.

    Search for articles

    Related Stories

    Career Explorer Indigenous rights: 4 things all development workers should know

    Indigenous rights: 4 things all development workers should know

    Career ExplorerWhat development pros need to know about fisheries and aquaculture

    What development pros need to know about fisheries and aquaculture

    European UnionIs the political environment in Brussels the worst ever for NGOs?

    Is the political environment in Brussels the worst ever for NGOs?

    The Trump Effect'Like a big funeral': USAID cuts leave local partners fighting to survive

    'Like a big funeral': USAID cuts leave local partners fighting to survive

    Most Read

    • 1
      How low-emissions livestock are transforming dairy farming in Africa
    • 2
      Opinion: Mobile credit, savings, and insurance can drive financial health
    • 3
      Opinion: India’s bold leadership in turning the tide for TB
    • 4
      The UN's changing of the guard
    • 5
      USAID's humanitarian bureau is under pressure and overstretched
    • News
    • Jobs
    • Funding
    • Talent
    • Events

    Devex is the media platform for the global development community.

    A social enterprise, we connect and inform over 1.3 million development, health, humanitarian, and sustainability professionals through news, business intelligence, and funding & career opportunities so you can do more good for more people. We invite you to join us.

    • About us
    • Membership
    • Newsletters
    • Advertising partnerships
    • Devex Talent Solutions
    • Post a job
    • Careers at Devex
    • Contact us
    © Copyright 2000 - 2025 Devex|User Agreement|Privacy Statement