Cybersecurity: Why it matters to NGOs.

From July 22 to July 26, 2024, the Partnership for Justice hosted a five-day capacity building on Comprehensive Protection Mechanisms and Peaceful Conflict Resolution for Human Rights Defenders ( HRDs ) at Ivy Hotel, Ikeja, Lagos.

HRDs are individuals, groups, or associations who act to promote and protect universally recognized human rights through peaceful means. The training addressed key areas essential for human rights defenders, including the history of human rights in Nigeria, the laws and policies safeguarding these rights and those who defend them, and, most importantly, the safety and security protocols HRDs should follow to protect themselves.

One of the sessions, led by Francis Ndegwa, focused on digital security and highlighted the importance of cybersecurity within nonprofit organizations. Our ever-evolving digital landscape has introduced new types of threats, making the need for cybersecurity more critical than ever. Cyber Security is the process that involves protecting our computer systems and electronic data through the implementation of best practices and utilization of relevant technologies.  

NGOs and Cybersecurity

Nonprofit organizations face numerous potential risks in handling confidential and sensitive information such as employee details, donor or investor details, beneficiary data, and so on. A research carried out by The Organization for Economic Cooperation and Development (OECD), found the non-governmental sector to be the second most targeted by cybercriminals and hacktivists after the IT sector, globally. This means that organizations like CivicHive, one of the leading tech nonprofit organizations in Nigeria, are at constant risk from threats from malicious actors.

Some of these threats include data breaches and privacy violations, which involve unauthorized access to sensitive and private data; social engineering, where malicious actors gain access to confidential information by exploiting human errors; ransomware attacks, which use malware to restrict or deny access to sensitive information; and third-party risks, which is a risk arising from interaction with vendors and external organizations. These threats all pose a significant risk to the organization as a successful attack can result in indefinite downtime, financial losses, loss of sensitive information, damaged reputation and safety, and a loss of public trust.

A notable cybersecurity attack on an NGO occurred in 2023, involving Save the Children International, the world’s leading charity organization for children. The BianLian hacker group targeted the organization, stealing 6.8 TB of data. This breach exposed personal information, financial records, healthcare files, and emails, highlighting the severe risks NGOs face in the digital landscape. This breach came in the wake of an attack on Blackbaud, a software vendor of the organization, in July 2020. This attack is classified as a third-party risk and costs the organization sensitive data on the organization’s supporters.

Amnesty International’s Canada also suffered a data breach in 2022, perpetuated by a group allegedly sponsored by the Chinese government. The organization did not disclose the nature of the information stolen during the attack on its infrastructure but assured the public that neither membership nor donor data were affected.

The training with Partnership for Justice addressed the potential threats, vulnerabilities, capacities, and actors that influence an organization’s ability to effectively prevent or mitigate security incidents. It also provided an in-depth exploration of methods for handling security incidents, featuring case studies, scenarios, and group projects to reinforce participants’ knowledge. 

Conclusion

A key takeaway from the session was that cyber attackers can target anyone at any level within an organization. Attackers often exploit vulnerabilities wherever they find them, making it crucial for everyone – regardless of their level of access to sensitive information – to receive proper training on cybersecurity. This training is essential to protect both themselves and the organization from malicious actors.

Data and digital information are the foundation of nearly all organizations, covering everything from basic details like office schedules to sensitive information such as employee credentials, beneficiary data, and other essential records. Organizations focused on safeguarding rights, demanding government accountability, or contributing to the social good must ensure that all members are properly trained to identify, report, and manage security incidents effectively. 

References

https://therecord.media/save-the-children-charity-cyberattack

https://therecord.media/amnesty-international-breach-linked-to-chinese-government-investigation-finds

Share this post