Imagine for a moment that your organization has developed a mobile app that allows clients to access a government entitlement. You have contracted a company to develop the app. One of its competitors exploits a misconfigured application programming interface setting and demonstrates that your contractor was not adequately securing the personal information of your clients. Passwords and PIN numbers were stored in clear text.
Although there is no evidence that the security lapses affected the administration of the program, clients and governments have lost trust in your organization. Do you have the knowledge and ability to appropriately vet contractors? Is security a high enough priority in your operational risk mitigation? Do you have experts you can consult to develop standards that are consistent with modern security requirements for products in other fields?
Our foremost ethical obligation in international development is to our clients, and this extends to developing technology tools and the stewardship of their data. This includes both maintaining the privacy or anonymity of client data where appropriate, but equally importantly it means ensuring that their data is included in datasets that inform crucial policy decisions.
Maintaining this balance requires careful consideration, planning, and buy-in from every member of an organization. It also requires organizations to lead with their values in developing cybersystems.
Stewardship of personal data can reflect on an organization’s reputation. The organization itself must be a trustworthy brand to protect both its mission success and employees. A series of privacy breaches at Facebook may have dimmed public opinion of the company in recent years.
For international development organizations, privacy stumbles could not only endanger vulnerable clients, but also sour donor relationships and embarrass or even endanger employees, who may become targets of disinformation or harassment campaigns. There also may be legal exposure for development organizations related to their handling of personal information.
Our foremost ethical obligation in international development is to our clients, and this extends to developing technology tools and the stewardship of their data.
—Nonprofit and social purpose organizations are generally not exempt from data protection and privacy regulations. The European Union’s General Data Protection Regulation, or GDPR, does apply to nonprofit organizations, and even organizations outside its jurisdiction may face judgments under GDPR if they are collecting or processing data on EU citizens or residents.
How can international development organizations harden their cybersecurity posture? For most organizations, cybersecurity is as much a management issue as a technical issue. Some basic first steps to operationalizing it include mapping existing policies to understand where improvements or clarifications are needed. It may not be possible to achieve an ideal cybersecurity posture instantaneously, so it is also wise to prioritize:
1. A way to contain organizational data, ensure its continuity, and separate it from staff members who depart the organization.
2. Strong authentication to access organizational data.
3. The use of authentic, licensed, and supported software on all organizational devices.
The NIST 800 series — published by the National Institute of Standards and Technology — provides some helpful guidance for further policy mapping that includes areas such as asset management and travel policies. One of the management principles of GDPR — the appointment of a data protection officer, even if that is a member of leadership with other responsibilities — ensures that the cybersecurity equity has a voice in organizational decision-making and can set a good example for the rest of the organization.
Data security is integral to mission success, and it doesn’t just mean protecting data subject privacy. After all, most modern development organizations could not function without computers or tablets used by staff members, smartphones, and other internet-enabled devices utilized in daily operations.
While we often think of information security as locking down data, an equally important aspect is ensuring that data is available when it is needed, which includes planning for hardware failures, creating redundancies for critical systems, and planning for incident recovery.
It is also important to consider how we can improve our security practices collectively as a field.
NGOs urgently need to take on cybersecurity
“Every single NGO I know has had a breach — they just didn’t know about it,” one expert in the field says.
Funders should include support for capacity building around cybersecurity, including but not limited to expert staff members or consultants. Where possible, development organizations should leverage programs such as TechSoup to take advantage of reduced cost or donated software, hardware, and services that can help support their cybersecurity capacity. We should also keep abreast of new developments in standards-setting and privacy-preserving technology that can help us share client data without compromising individual privacy.
For funders, it is important to meet organizations where they are, providing clear actionable advice without fostering shame. Equally, it is important for all parties to keep a learning attitude; this is a rapidly changing field, and the conventional wisdom of a few years ago may no longer be relevant.
Funders can encourage peer mentorship and facilitate the sharing of best practices and highlighting local threat models. Platforms and norms are different for different linguistic and geographic communities, and relevant threats are not the same everywhere. No one knows local threat models like locals, and this can help organizations invest wisely in their own resilience to prioritize threats according to peers in the same issue space and geography.