What NGOs can do to mitigate cybersecurity risks

While cybersecurity may not have traditionally been seen as an essential part of operations for humanitarian and development organizations, an increasing incidence of malicious efforts online has spotlighted the importance of information security policies and practices. A recent phishing attempt by a person or group mimicking the U.S. Agency for International Development’s email marketing account to target aid groups has brought renewed attention to the issue. But there are steps that organizations can take to prepare themselves to better detect breaches and respond to them — even if preventing them outright may not be possible, experts tell Devex. The first thing that organizations need is not fancy technology but a commitment from management and recognition of the real risks related to cybersecurity, said Dianna Langley, senior director of engagement at NetHope, a technology-focused global consortium of nonprofit organizations. Boards of directors and executives — not just chief information officers — need to view these as critical threats, discuss them, and ensure that cybersecurity is adequately resourced, she added. If organizations haven’t had conversations about cybersecurity with their boards or trustees, they should do so now, said James Eaton-Lee, data protection officer and the head of information security at Oxfam. Another key step is appointing a senior employee — preferably a technologist or risk manager who has a relevant track record — to own cybersecurity issues, he said. That person’s job should be to lead a response if a potential breach does arise. Small NGOs would need a different system and response mechanism, so they need to focus their resources. They should carefully evaluate needs, including whether they work with vulnerable clients or in hostile spaces, and ensure their teams and systems match their threat profile, Eaton-Lee said. Some systems can be easily implemented and do not require additional technology, such as requiring multifactor authentication on every system and device. Having that authentication in place stops many potential hacks, Langley said. A challenge for organizations that have far-flung or virtual teams may be the ability to maintain devices — including remotely patching issues and sending antivirus updates — but this is critical for cybersecurity efforts and understanding potential vulnerabilities, Langley said. Training for employees is essential so they know how to identify potential threats, and organizations should also ensure their systems have strong fundamentals, such as email management, she said. Once organizations have systems in place, they should validate them by benchmarking against peer organizations or having third-party evaluations and tests performed — including through simulated phishing exercises, Eaton-Lee said. Having systems in place is important, but organizations also need to have incident management processes — which few working in this sector do — said Stuart Campo, team lead for data responsibility at the United Nations Office for the Coordination of Humanitarian Affairs. Learning from challenges, detecting vulnerabilities, and ensuring thorough documentation are all difficult without data incident management, he said. Before starting a new service or using a new technological tool, groups should work to reduce their vulnerability as much as possible. One way to do that is to assess where data is hosted and how interconnected or isolated systems are, Campo said. For example, client data shouldn’t be sent via email, and access between systems should be limited, he said.