Link Search Menu Expand Document
Responsible data management toolbox

8.2 Cybersecurity


Keep in mind

Even though the term cybersecurity is a bit scary, and NGOs often feel helpless in the face of the topic, there are many concrete measures that can be easily implemented by NGOs. In terms of securing systems and good practices.

There is an increasing need for actors on the ground to ensure cybersecurity. This is why we wanted to introduce this concept, its specificities with regard to the sector and the protection measures available to NGOs.

8.2.1 What are we talking about?

In order to understand cybersecurity issues, it is essential to understand its scope.

Cybersecurity is the state sought by an information system that will enable it to withstand cyberspace events likely to compromise the availability, integrity or confidentiality of data stored, processed or transmitted and related services that those systems offer or make accessible. Cybersecurity uses information systems security techniques and is based on the fight against cybercrime and the establishment of a cyber defence (Source: ANSSI). It is a “subset” of IT security.

8.2.2 What is at stake?

The international solidarity sector is a target – like many others – of multiple cyber-attacks. For instance, the non-profit sector is increasingly affected by cybersecurity issues – it is now the second target of the cyber attackers, following the computer industry, such as the one having received the most media attention: that of the ICRC in 2022 (presented in FailFest at the GeOnG 2022). Yet, according to a 2018 study, only 1 in 10 NGOs train their staff in cybersecurity and only 1 in 5 NGOs have cybersecurity strategies and the resources to defend themselves (NTEN 2018 State of Cybersecurity Nonprofit Report). Moreover, according to the latest Nethope report on cybersecurity in the sector (downloadable here) 65% of international solidarity NGOs do not trust their cybersecurity.

It can be said that cybersecurity is a topic about which NGOs often feel overwhelmed, due to lack of resources and knowledge, while there are numerous actions they could undertake.

Zoom on the health sector: a fragile and targeted area:

Organisations that work in the health care industry are particularly targeted: these attacks are singular because they target society as a whole by targeting “services that are essential and vital” : “being a guarantor of human lives makes the medical sector particularly vulnerable.”

This risk has increased even further since the Covid 19 pandemic. In addition, the impacts of these cyber-attacks are substantial and multiple (the CyberPeace Intitute analysed cyber-attacks in this sector, their impacts and recommends collective solutions in a report published in 2021 . A tracer, tracks incidents in more than forty countries and can be fed by field actors):

  • “impact on the physical health” of individuals whose treatment is slowed down or rendered impossible,
  • “psychological impact” that decreases “confidence in the health system”,
  • “societal impact” that leads to a “climate of fear, confusion and mistrust”,
  • “economic impact” (strengthening the security system of information systems, sometimes paying the ransom for example).

8.2.3 How NGOs can tackle the topic?

Cybersecurity is a multifaceted topic, but to summarise, finding all of the means to limit data thefts / breaches remains the top priority- with the knowledge that depending on the entity carrying out the attack, protecting oneself is more or less feasible. But a vast majority of attacks could and should be countered, not only in view of the responsibility NGOs have towards the populations whose data they hold, but also in view of the financial cost of managing the breach (See again the ICRC experience presented in FailFest at GeOnG 2022).

However, according to the 2022 Verizon Data Breach Investigation Report, 82% of them are linked to human error. Without necessarily recruiting experts in this area in-house, NGOs could therefore better defend themselves through work with the members of their organisations in cyber hygiene. Feel free to refer to the capsules in the previous section on information systems security, cybersecurity being a subset of IT security.

If you want to better protect yourself and put contingency plans in place, the Solidarity Action Network has developed a Solidarity Playbook on cybersecurity (to which the CyberPeace Institute has recently contributed with specific case studies) which helps raise awareness on which mitigation measures and responses to implement following a data breach.

This guide has identified five issues that CSOs face during an attack:

  • Constrained resources,
  • Lack of experience,
  • The unknown is unnerving,
  • There is a balance to be struck between actions to respond to the attack and daily activities,
  • Decide on what to communicate.

Do not hesitate to connect with structures such as the CyberPeace Institute, which, through its humanitarian cybersecurity centre and its CyberPeace Builders Volunteer program , supports NGOs free of charge in assessing their situation and implementing good cybersecurity practices.

8.2.4 Key Resources

Here are additional resources to explore cybersecurity and its challenges:

  • We recommend the relevant resources from the Cyberpeace Institute, on combating cyber-attacks and analyzing their context in the humanitarian and healthcare sectors,
  • We invite you to explore Solidarity Action Network’s Solidarity Playbook on cybersecurity, which draws together case studies and best practices on cybersecurity, presenting examples of CSOs who have dealt with real cyberattacks,
  • The Global Cyber Alliance website, an NGO fighting to reduce cyber risks, which has developed guides and tools to help organisations improve their cybersecurity,
  • The CSIS (Centre for Strategic and International Studies), a research centre that provides a variety of cybersecurity resources such as podcasts, articles and reports on the topic,
  • Privacy Affairs is a collective of journalists, experts in cybersecurity and lawyers that produced the dark web price index 2022 and 2023 which reports the prices of different products sold on the black market (dark web) by cybercriminals,
  • The resources from SANS Institute provide practical knowledge of cybersecurity through tools, documentation and articles,
  • The Centre for Internet Security (CIS) is an NGO that offers tools and services to combat cyber-attack related risks, guides and articles,
  • The ANSSI (French national information systems security agency) has developed a cyber crisis management guide that includes best practices and testimonials from organisations that are the targets of major incidents (resource only available in French),
  • The Humanitarian Data Center Guidance Notes provide information on specific topics, processes and tools related to the practice of responsible data management. It complements the OCHA Guidelines on Data Accountability and the IASC Operational Guidelines on Data Accountability in Humanitarian Action.
  • And finally, NetHope’s 2023 report on cybersecurity in the sector reports on the state of health of NGOs on the topic.