Why your NGO needs in-house data security expertise

CANBERRA — The fallout of the Facebook scandal has served as a timely reminder for development organizations to take a closer look at their own awareness and understanding of data privacy and security. To facilitate smarter, faster, and larger-scale impact of development and humanitarian services, NGOs are being encouraged by donors to transition quickly to a data world — and to do so safely and securely. But for many, using funds for non-mission-specific tasks such as data management and security remains a difficult culture shift to communicate internally, as well as externally to stakeholders. “Organizations are having to eat what they kill,” Stephen McDonald, director of the Centre for Humanitarian Leadership, told Devex. “When you have this hand to mouth existence, it is very difficult to make those longer-term strategic investments that are required to fill the data and technology gap.” As a result, it is tempting for NGOs to rely on external service providers for their data needs. But ideally, they need to be developing better in-house capability in order to make data a core part of their operations, rather than relying on external providers that may not understand the humanitarian context, experts told Devex. “There is a real cost involved in these things. But if we get it right and do it the right way, it has enormous potential to reduce cost overall and make what we do a lot more efficient,” said McDonald. The data security challenge for NGOs Like many commercial organizations, NGOs are at risk from cyber threats due to the sensitive information they hold — including the identity of donors, financial information, confidential operational plans, and personally identifiable information about staff, volunteers, and the people they support, who are among the most vulnerable in the world. “In the NGO space, threats come not only from criminals looking to leverage personal and financial details for their own gain, but also from state actors and governments seeking to control or hinder organizations they don’t agree with,” Paul Diaz, vice president of policy at the Public Interest Registry, explained to Devex. But the preparedness of NGOs to deal with data security and privacy issues can vary dramatically depending on their size and infrastructure. “There are large multinational NGOs with well-developed security infrastructures and in-house security professionals on staff who are equipped to quickly respond to data security issues such as data breaches, or even privacy regulations such as the new General Data Protection Regulation coming out of the European Union,” Diaz said. “On the flipside, there are also many NGOs that lack the resources to thoroughly protect their organizations against bad actors or properly manage stakeholder data. These NGOs simply focus their limited resources on their missions, and lack the wherewithal to deliver the security systems, IT staff, and data management processes that are considered best practice for any organization in today’s digital world.” As the data used in the aid sector can place individuals and organizations at risk, McDonald said there is an urgent need to address issues of data awareness, security, and general practice. “The most worrying thing I have heard so far is about insecure systems containing large amounts of personal data about people who are displaced or in high-risk environments,” McDonald said. “However, I have also personally seen data and documents left accessible on open systems — discarded USB drives in high-risk environments, and even people leaving access to webmail accounts on shared computers in public places. Furthermore, most organizations do not encrypt their data on user machines, and many users have only a rudimentary understanding of data security. “The biggest gap we have in data security in aid and development is people — and we need to educate both communities we are seeking to serve, as well as aid workers about the need for data security, consent, and privacy,” McDonald said. The dilemma of outsourcing data An easy out for many NGOs, especially in those where the concept of data is foreign, is to outsource responsibility for all things data to external service providers. But this, experts warned, is a temporary band-aid solution. “The biggest gap we have in data security in aid and development is people — and we need to educate both communities we are seeking to serve, as well as aid workers about the need for data security, consent, and privacy.” --— Stephen McDonald, director at the Centre for Humanitarian Leadership “NGOs are putting their trust in the private sector when they don’t necessarily understand the solution they need, nor how it can be applied within a humanitarian setting, but often trying to do it on the cheap,” McDonald said. Service providers may not understand the challenges of the environment where data is being collected and used in the development and humanitarian space. “Secondly, there are some [NGOs] that are either trying to do a system building exercise themselves, or commissioning third parties — without having a clear understanding of their own processes or requirements. Software development by its nature, has to be a disciplined and iterative process, and it is seldom that there is an ‘off-the-shelf’ product for complex problems without doing a proper analysis of the business requirements, user requirements, and technical requirements,” McDonald said. Additionally, relying on outside providers means NGOs can continue considering data as an issue external to their organization. “Many NGOs focus the majority of their resources on activities that further their mission — and as a result — investment in data management, security, and privacy typically is much lower than is advisable,” Diaz said. “When working with outside counsel it can be more difficult to address the ‘mindset challenge’ facing many NGOs who don’t currently view data security and privacy as a top organizational priority,” he said. Zara Rahman, research, engagement, and communities team lead at The Engine Room, told Devex that as data is a “cross-organization issue,” it is a capability that needs to be led and developed in-house. “Everyone works with data, from programmatic teams to monitoring and evaluation, to operations, and of course, the tech team. In order to have strong organizational security, everyone needs to build better practices across the organization — it can't just be the responsibility or concern of one team.” According to Diaz, having an in-house data steward is important in building an internal culture that prioritizes best data practices. But there are also practicalities in the understanding of organizational data, sensitivities associated with them, and the unique needs or threats facing the organization that cannot be outsourced. “In the event of a security incident, every minute is critical,” Diaz said. “If your outside counsel is not accessible and able to activate immediately to address threats at their earliest stages, your organization will be at a great disadvantage.” Services that need to be outsourced should help an organization toward in-house expertise. “Among some NGOs, having in-house capabilities may not be possible from a resource perspective,” Diaz said. “In those cases, it’s critical that the organization bring in an outside security professional to help set up their systems and train their internal staff. Then, these NGOs can schedule regular touchpoints with their outside consultants to ensure systems are running properly.” Building internal data capacity The diversity in size and missions of NGOs means there is no one-size-fits-all solution to building in-house data capacity. But even without a full network security team, Diaz explained there are steps that NGOs can take to bolster their data management and security capabilities. “One consideration is to first look outside of your organization to ensure third-party partners are taking the appropriate precautions to eliminate risk and keep your stakeholders’ data safe and secure,” he said. “Third-party partners including internet service providers, cloud providers, payroll service providers, and software service providers all play a role in your security capabilities. NGOs should see it as their responsibility to ensure that these vendors who manage or process data on their behalf are best-in-class when it comes to data security.” While doing this, Diaz said, NGOs should be crafting internal data privacy and security policies that clearly outline requirements of employees and volunteers around data management. And once these policies are in place, employees need to be trained to ensure they’re equipped to respond to issues as they arise, or direct them to the appropriate expert. “Don't wait for a data breach or serious incident to happen to trigger investing in better security practices — our methods [underlie] our mission, and if our mission is to support and serve communities, we need to protect and respect their rights in data too.” --— Zara Rahman, research, engagement, and communities team lead at The Engine Room That process needs to come from the top. “NGO leaders should make sure there are clear processes in place for all employees so they know how and when to escalate data-related concerns as well as who to contact first in the event of a data management crisis,” Diaz said. All organizations need to make data security and privacy “a core part of their operations,” he said Rahman added that it is important for organizations to think long-term about data capability and strategies. Data security and privacy interventions “should be framed as part of a holistic organizational security approach,” she said. “Understand that context changes — so apply your critical thinking skills to technology rather than taking a set of advice word-for-word,” Rahman said. “And don't wait for a data breach or serious incident to happen to trigger investing in better security practices — our methods [underlie] our mission, and if our mission is to support and serve communities, we need to protect and respect their rights in data too.” In building an organization-wide transition, education is key. It is important to understand that even among the new generation of NGO workers, data awareness can be poor. “I was hopeful for a while that as younger people came into aid and development they would be more attuned to risks of data privacy and security,” McDonald said. “But what has struck me is that, because they have grown up in a world where social media is the norm and information sharing is the norm, they are not necessarily aware of those risks themselves — especially in terms of how we use other people’s data.” McDonald believes there are three levels of training required to support appropriate use of data in development and humanitarian programs, which need to be specific to the sector rather than generalist. “It is not a straightforward transition from government and private sector ICT roles [to] aid and development as the environments we work in are often resource constrained, and the available solutions or infrastructure is often challenging,” he said. “A fully locked-down ICT environment makes it difficult to work in the field. But a completely laissez-faire approach carries a great deal of risk — which means that you also need to address the human factors involved.” The first level of training, McDonald believes, should be a specific education pathway to professionalize humanitarian and development ICT. “Often it is treated as an ‘add-on’ to logistics,” he explained. “We need to recognize that ICT in the aid and development community is a specific discipline and requires a professional pathway.” The second level needs to support leaders in aid and development — from mid-level managers to global CEOs — to have a better understanding of the strategic issues and inter-dependencies of ICT in delivering aid, and the risks that are associated with using technological solutions. “We want them to understand the risks, but find solutions to those risks that don’t involve walking away from the future,” McDonald said. “Critical to this is having a solid understanding of data and data security issues — not necessarily from a technical perspective, but from a business understanding and through the lens of a solid ethical framework that is founded on humanitarian values and principles.” The third level needs to support general training and education for aid workers and for communities about how data is collected, stored, analyzed, and used. “Human behavior is the single most important factor in managing data and data security — and it is important that communities understand this too, so that they can provide informed consent on how their data is collected, used, and stored,” McDonald said. Diaz warned, “it’s also important to remember that no organization is immune from cyber threats regardless of how robust their in-house capabilities are.” But building in-house capability, he said, is an important step in reducing the impacts of threats. Data security breaches can have vast consequences in aid work. NGOs need to know they can manage the risks on their own, rather than relying solely on external service providers, experts tell Devex.