How to improve the cybersecurity of NGOs?
Digital transformation has reached all sectors, including non-governmental organizations (NGOs). These organizations have now become more dependent on technology to improve their ability to deliver and scale programs, engage with beneficiaries, and ensure an agile response to populations in need.
Although this transformation delivers many benefits for NGOs, it has made them a viable and attractive target for cybercriminals. According to the 2023 Nonprofit Tech for Good Report, 27% of nonprofit organizations worldwide have suffered a cyberattack.
NGOs collect, manage and process high volumes of data, including sensitive information on people in vulnerable situations and financial data from donors, which are some the key reasons why malicious actors seek to attack them, making this sector the third-most targeted industry for hackers.
In January 2022, a Doctors Without Borders server in Spain was compromised, fortunately, the incident did not escalate and a major data breach was avoided. Similarly, in February of last year, the International Committee of the Red Cross (ICRC) was attacked via code designed to impact its servers. In this case, if proactive measures had not been taken, it could have resulted in data loss affecting around 500,000 people. Then on October 5, 2022, Amnesty International Canada was the target of a cyberattack where tools and techniques associated with specific advanced persistent threat (APT) groups were deployed.
Given the risks these organizations face, many NGOs are turning to insurers to avoid suffering devastating losses. In fact, in the first half of 2022 there was a staggering 57% increase among claims made by NGOs, according to the Cyberpeace Institute.
8 basic principles of cybersecurity for NGOs
NGOs aim to dedicate the funds they raise to the support the causes they are committed to, and, generally speaking, tend to underinvest in cybersecurity, and may also lack the knowledge and expert staff in the field. Here are some cybersecurity basics they should implement to counter this:
1- Security policies:
NGOs need to outline clear and well-defined cybersecurity policies. But first they need to know what to protect and how to protect it. They can then develop a series of measures and procedures to be followed that include all the organization's processes, systems and personnel. It’s important to remember that cybersecurity is a shared responsibility, so conducting regular awareness programs for employees and IT staff should be part of these policies to make cybersecurity part of the organization's culture.
2- Software updates:
Software updates are essential for robust cybersecurity. It is necessary to ensure that both the operating system and applications have been updated and are protected by the latest patches to avoid security breaches caused by vulnerabilities in the system.
3- Strong passwords:
Passwords function as the first security barrier for organizations, protecting their users' credentials. Employees need to ensure their passwords are strong and complex, change them regularly and avoid repeating them. It is also advisable to apply MFA (multi-factor authentication) as an additional layer of security for employee and NGO member credentials.
4- Backups:
Regular backups can ensure that data can be recovered in the event of a security breach. For effective storage, NGOs need to establish appropriate policies and technical measures such as storing several encrypted copies of critical data, as this makes it easier to restore them if necessary.
5- Training and awareness:
Effective human risk management involves training all staff on cybersecurity threats. This enables them to recognize and prevent attacks such as phishing, social engineering and other threats. An organization's response capability can be improved by turning people into human detectors.
6- Limited access:
To avoid lateral movements within the network if a threat actor manages to get hold of an NGO employee's credentials, it is best to limit permissions and access to systems to users who have a legitimate need for access. Most software systems allow administrators to regulate authorization levels based on the functional roles of each employee.
7- Risk assessment:
Regular cyber risk assessments are needed to identify and address vulnerabilities in your systems and processes. This enables you to reduce cyberattacks by being aware of your weaknesses.
8- Monitoring and intrusion detection:
NGOs must proactively monitor their systems to be able to detect and respond to any suspicious or malicious activity. They need to deploy solutions such as firewalls and intrusion detection and prevention systems to safeguard sensitive data, systems, and employees.
Network security: a key requirement for improving NGO cybersecurity
NGOs must be able to protect their networks and having a firewall that functions as the first line of defense against cyberattacks is essential.
Using a firewall such as WatchGuard's Firebox makes it possible to control traffic on the external, trusted network, a crucial task considering that almost two-thirds of malware hides in encrypted traffic. Thanks to this technology, NGOs can stop all suspicious traffic and strengthen the organization's security, as well as detect and block more sophisticated attacks, such as ransomware, zero day threats, and other advanced malware designed to evade conventional network security defenses.
In 2019 Nugent Care suffered a cyberattack that wiped out almost their entire IT infrastructure. After finding themselves in that situation they decided to create a five-year strategy that would allow them to regain internal control of their network and firewall infrastructure. They opted to invest in a series of Firebox appliances that provided the visibility they were looking for to shape traffic and perform analytics and quality service management through WatchGuard Cloud.
Scott Davis, ICT systems Manager at Nugent Care, explained that "WatchGuard was the most communicative and supportive in terms of time, guidance, and demonstrations, which helped me in the decision-making process. It doesn't matter how good the product is if it's not backed up by good support."
Nugent Care is an example of what an NGO can achieve when it is supported by quality technology and service. As Scott says, "I sleep better at night, there's nothing worse than not knowing what you're going to wake up to."
If you want to learn more about how network security strengthens an organization's cybersecurity posture, be sure to check out the following articles on our blog: