Who protects the humanitarians? As warfare becomes digital, NGOs are in the cyber crossfire
February 20, 2023 | By Tyler Blint-WelshOne afternoon, an official at an NGO that provides health care to children around the world received an email informing him that his organization had been cyberattacked. As a twisted form of courtesy, the crime syndicate provided a hotline to call and negotiate a ransom.
So the NGO worker found himself on the phone explaining to criminals that his organization’s work focused on helping children receive treatment — in some cases, lifesaving — and that the attack was preventing them from getting better.
“Oh, that’s great, you’re helping children,” the ransom negotiator responded in all apparent sincerity. “We have a discount for NGOs.”
This type of incident, which was recounted by Adrien Ogée, chief operating officer for the Geneva-based organization CyberPeace Institute, is increasingly common. In recent years, more than half of all NGOs have reported themselves victims of cyberattacks. Ogée notes that there has been a shift in the mindset among hacker groups, who have become more willing to attack organizations beyond just for-profit corporations.
“Everything is fair game now,” he says.
And while cybersecurity is a problem for all industries, it’s particularly challenging for NGOs. While some NGOs operate on billion-dollar budgets, most of that money is earmarked to fulfill their missions, not to pay IT staffers. That makes it difficult for these nonprofits to attract the cybersecurity talent needed to stay secure. Additionally, workers are often deployed to regions that lack connectivity, don’t have regular access to mail delivery to receive upgraded equipment, or are even under threat of constant violence, all of which can interfere with implementing basic cybersecurity protocols, like multifactor authentication.
That’s where the CyberPeace Institute comes in. Established in 2019 by a group of corporate donors, including the Mastercard Center for Inclusive Growth, as well as philanthropic foundations, the institute is dedicated to equipping NGOs with intelligence to prevent, and recover from, cyberattacks, and it works with the United Nations to define the rules and principles for how countries should behave in cyberspace.
The institute also closely tracks attacks and new trends in cyberwarfare. In Ukraine, it identified 15 attacks against nonprofits, including NGOs, in 2022, disrupting services to displaced refugees and raising concerns that the hacked data could be used to target those organizations the displaced people rely on — although Ogée says that many attacks on nonprofits go unreported.
“Cybersecurity for NGOs had been really off people’s radars,” says Bonnie Leff, an executive board member of the CyberPeace Institute and a senior vice president in Corporate Security for Mastercard. “They’re such an important part of our ecosystem and are just such a vulnerable group.”
Last year, the institute introduced its CyberPeace Builders program, which forms the core of its new Humanitarian Cybersecurity Center. The CyberPeace Builders program pairs NGOs with volunteer cybersecurity experts who provide ongoing guidance to help prevent attacks. Since its launch, more than 100 NGOs have been given cybersecurity guidance.
Cheryl Banashek, a Mastercard employee, is one such volunteer. With an extensive background in phishing and cybersecurity awareness education, she recently worked with an NGO that fights wildlife crime to improve its anti-phishing program. She helped the group compile a list of best practices, tools to distribute to employees and nuggets of knowledge that were relevant to the NGO.
“I love to volunteer — it started out years ago in my community, at my kid’s school,” she says. “It’s been an amazing experience to bring my professional skills and share them with other people.”
Beyond funding, one of the main cybersecurity challenges NGOs face is that their leaders often lack the time to do the extensive research necessary to implement robust cybersecurity programs and train their employees. Organizations like the CyberPeace Institute can help bridge that gap.
“What we’ve really found since we started in 2019 is that among the programs these NGOs have had, this one is really making such a difference,” Leff says. “Because so much of keeping them secure comes down to basic cybersecurity hygiene.”