Q&A: How NGOs can protect themselves online
With cyberattacks on the rise, many organizations are scrambling to ramp up their online security measures — but high costs and a lack of expertise can make it difficult for nonprofit actors to take the necessary precautions. Devex sat down with Melanie Rieback, CEO of Radically Open Security, to get her insights on the best steps NGOs can take to protect themselves online, while keeping costs down.
By Benjamin Bathke // 06 October 2017OSLO, Norway — With disinformation campaigns, online fraud and cyberattacks on the rise globally, companies, institutions and governments are scrambling to ramp up their online security measures. But the significant cost of firewalls, encryption and other digital security measures can make it difficult for at-risk players in the nonprofit sector to take the necessary precautions to prevent attacks, as well as to respond effectively if an attack does happen. Dr. Melanie Rieback, CEO and co-founder of nonprofit computer security consultancy Radically Open Security, recently talked about the ins and outs of digital defense at Oslo Innovation Week in the Norwegian capital. The Dutch national, a former assistant professor of computer science best known for her research on RFID security, has extensive experience in how to combat cyber attacks. Rieback sat down with Devex to discuss best practices in online security for NGOs, and what steps they can take to protect themselves and their members. The conversation here has been edited for length and clarity. Why do NGOs need to protect themselves online, and what are the key things they need to be thinking about when it comes to digital defense? NGOs need to protect themselves in general, not just online, and they don’t necessarily differ from any other business or organization that is distributed globally in some way, shape or form. What those security efforts might look like partly depends on the size of the NGO. What I've observed working with small, grassroots NGOs is that they tend to not have any knowledge within the organization about how to deal with security. So the best thing that they can do is approach some kind of a knowledge partner, willing to work with them either cheaply or for free. They need to get some kind of initial assessment — a holistic overview of what their actual situation is with respect to their risk profile. It all starts with a question of what your attacker model is. They most likely don’t have budgets for these kinds of things. But they need to think about what their threat model is and ask themselves what their assets are: What are we trying to protect? What are our crown jewels from our perspective, as well as from the attacker’s perspective? Those might be two different sets of things. Larger NGOs should have some kind of a better developed information technology organization in place, although they may very well still not have an entire security department of the size they need. Even more important than having a large-enough security department is embedding the awareness of security within the rest of your IT department. System administrators, coders, development research and development operations people all need to gain experience and proper security training. Educating those who build things for you is going to ultimately give you the best return on your investment. One thing that all NGOs should do regardless of their size is keep [sensitive] things off the internet. That might sound obvious, but it matters. Avoid having huge websites with all kinds of really fancy interactive functionality you plug everything you know into. What are some affordable alternatives to costly security services available to NGOs? The best advice I can give is talk to somebody, whether it's a volunteer or a professional, who can have a look at your particular situation and try and help. There are also some manuals and good reading material out there. Tactical Tech has a number of good mini books that can describe some of the different tools and other forms of digital defenders available to NGOs. There are some not-for-profit efforts out there geared towards helping NGOs. One in particular is called Security Without Borders, whose pool of volunteers sometimes help NGOs for free. I'm part of an organization called CiviCDR (Civil Society Center for Digital Resilience), which provides security and incident response services for NGOs that don't otherwise have the budget for it. Radically Open Security, my own company, also offers some services for NGOs. Since we’re a scale-up company, however, we can't afford to do it for free. What we can do is keep the costs somewhat low by putting more junior staff members on those cases, which works fine because our NGOs usually only need help with the most basic and simple things. There are also some funding agencies like the Open Technology Fund in Washington, D.C., and the Mozilla Foundation, which has a budget for doing audits for nonprofit entities, especially if you create something that's open-source. Would you say that there is a lack of initiatives and resources available to NGOs looking to safeguard their digital activities? Absolutely. It's not a financially attractive segment. The majority of the providers either have volunteers that are doing it, or they have commercial parties that don't take it seriously because there's no money there. If you're lucky, you might have a couple of like-minded organizations that are willing to do it. There are also some larger consultancy firms that will do nonprofit work. It's not that you shouldn't shop around and see if some of these commercial parties can help you, but at the same time it's not available in the quantities that are needed, not to mention that there are very few parties that would actually take nonprofits as seriously as their commercial engagements — which is a shame because the NGO sector, in many ways, sometimes needs it even more than other sectors. How can NGOs keep the costs for security measures to a minimum? If you can choose between proprietary and open-source software [where the original coding is free to share], the latter, I think, is a better investment of your IT budget. Whatever money you save can hopefully be spent on setting up that open-source software in sensible ways. Moreover, trusted data sharing communities, such as MISP and Shadow Server, can provide some things which might be of use. Those are excellent initiatives that share free threat intelligence you can use for operational purposes. You also have other organizations like Team Cymru that put more informational things out on the web. NGOs also have a lot to gain by bundling their forces. If the NGOs together can come up with some sets of best practices, monitoring solutions or incident response teams that they can share, they can achieve a lot more than each organization can do individually. After all, it does take some amount of resources to come up with functional solutions. Shadow Server is a great example of how facilitated sharing can help. What they do is create this trusted community, and they essentially only share the information they collect with the organization that it's relevant to. Sharing is good, but at the same time, the problem with threat intelligence is if you do just dump it somewhere public, the attackers will then see it and modify their behavior. So you also need to use a little bit of common sense. Transparency can help NGOs if they share with each other while keeping in mind what that threat model is. Do you have some advice for organizations operating in high-risk environments? If you are a tiny, free speech organization operating in a country with an oppressive regime, you tend to face motivated and well-funded attackers without having a serious security budget to counter them, especially if attackers get hold of the information about those running the organization. This is problematic. The best that they can really do is take baby steps. Another problem is that smaller NGOs don't have enough financial resources to be able to ask most serious security companies for help. Which NGOs are really doing a good job of online security — and how are they doing that? My honest answer is none of them — but it's not just NGOs. I mean, there's always room for improvement. I've worked with a number of organizations from large to small, from commercial to governmental, from SMEs to the nonprofit sector, from universities to core internet service providers. There’s always problems, universally. It's just a question of how bad they are, and how catastrophic it is at the end of the day. If you have a tiny organization started by techies, especially if they tend to be people from the security industry or hackers, then they might have enough knowledge to be able to architect in security from the beginning in a better way than an NGO whose core business is not IT. So as a generality, I would say that the more the core business is related to security, the more likely they are to get it right, although that's still not a guarantee. And then again, there is no organization on the planet that completely gets it right. I myself run a security company, and I would never claim that we get absolutely everything right because there's complexity in software and also in people, so there's just a gradual process of trying to raise the bar. What’s your advice for NGOs just getting started with online security? Try and start with the most basic basic things and take incremental steps. Find organizations helping to facilitate industry-wide, not just for business but for NGOs as well and across the civil society sector. There are resources out there if you look for them. You do need to approach security in a cyclical fashion. You essentially need to take a number of incremental steps. It's a process as well as a mindset — something you need to build up over time. It's not just this one-time penetration test or one-time assessment and then you're done. You do need to keep revisiting your security measures and improve them incrementally. Devex delivers cutting-edge insights and analysis to the leaders shaping and innovating the business of development. Make sure you don't miss out. Become a Devex Executive Member today.
OSLO, Norway — With disinformation campaigns, online fraud and cyberattacks on the rise globally, companies, institutions and governments are scrambling to ramp up their online security measures. But the significant cost of firewalls, encryption and other digital security measures can make it difficult for at-risk players in the nonprofit sector to take the necessary precautions to prevent attacks, as well as to respond effectively if an attack does happen.
Dr. Melanie Rieback, CEO and co-founder of nonprofit computer security consultancy Radically Open Security, recently talked about the ins and outs of digital defense at Oslo Innovation Week in the Norwegian capital. The Dutch national, a former assistant professor of computer science best known for her research on RFID security, has extensive experience in how to combat cyber attacks.
Rieback sat down with Devex to discuss best practices in online security for NGOs, and what steps they can take to protect themselves and their members. The conversation here has been edited for length and clarity.
This story is forDevex Promembers
Unlock this story now with a 15-day free trial of Devex Pro.
With a Devex Pro subscription you'll get access to deeper analysis and exclusive insights from our reporters and analysts.
Start my free trialRequest a group subscription Printing articles to share with others is a breach of our terms and conditions and copyright policy. Please use the sharing options on the left side of the article. Devex Pro members may share up to 10 articles per month using the Pro share tool ( ).
Benjamin Bathke is a freelance journalist covering media innovation, startups and intractable global issues for Germany’s international broadcaster Deutsche Welle, as well as several other international publications. In 2015-2016, Ben was a Global Journalism Fellow at the Munk School of Global Affairs and a multimedia storyteller for Washington University in St. Louis.