Whether it’s stolen credit card numbers or the security of election systems, digital protection online is increasingly center stage in our collective lives. The same is increasingly true for the NGO/nonprofit sector. Once thought to be ignored by most hackers and other malicious actors, an increasing amount of transnational cyberattacks are now targeted on NGOs and their local partners. In the wake of the recent, multiple attacks on USAID and other U.S. government agencies, it’s clear that NGOs and the data they hold are increasingly attractive to those wishing to do harm.
NetHope, as a consortium of 63 of the largest NGOs and nonprofits in the world, is working to address these challenges. Paramount to this effort is the need to honestly assess how secure organizations really are and the most common challenges that remain.
To that end, NetHope just completed an assessment of a majority of its Members in regard to their compliance with the cybersecurity controls as set out by the Center for Internet Security (CIS). While there are several accepted frameworks to measure cybersecurity compliance (including NIST and ISO, among others), NetHope Members (through its Data Protection & Information Security Working Group) chose the CIS controls as their measurement standard because they easily mapped to most other frameworks and thus, can be used as a common framework for all.
The results of this assessment were humbling. In general, if NetHope Members can serve as a proxy for the larger NGO/nonprofit sector, it seems the sector is not well enough prepared for future threats. Data backup processes were generally in place, but few protocols are in place for testing their viability. Data encryption is rarely used, and ransomware attacks remain a real threat that is realized all too often, to the degree that Members could acknowledge their occurrence (because of nondisclosure policies and media/brand risks to doing so). Moreover, the lack of network segmentation and lack of robust user account management throughout the nonprofit’s stakeholder ecosystems creates openings for larger and more sophisticated attacks.
In the end, it is clear that more needs to be done, and NetHope is prepared to walk that journey with its Members, with the help of its partners and donors. For example, since we know much of the issue is due to starved cybersecurity resources within the nonprofits, donor funding models likely need to adjust to actively encourage cybersecurity investments and adequately cover the scale of requirements in this new age. Digital hygiene trainings will need to be offered down to the very end-point of NGO networks, sub-partners, and program participants. And crisis response plans need to be codified, pre-funded, and rehearsed in the event of the almost inevitable future attacks.
To review a copy of the NetHope research, you can find it online here.
NetHope commits to working with its Members and the broader NGO/nonprofit sector to help implement strategies to address these systemic issues and help create the right conditions of success in a digital world – for the nonprofits, but even more crucially, the vulnerable people they work with.
If you believe you can help with a piece of this complex puzzle that must be solved, please contact us.