Why do humanitarian and development organizations need protection against cyberattacks ? – An article from the CyberPeace Institute

Non-governmental organizations (NGOs), including humanitarian and development organizations, make a vital contribution to humanity, assisting and protecting people around the globe. They regularly ensure the delivery of essential services such as the provision of healthcare, access to food and nutrition, shelter, water, sanitation and hygiene.

This sector has also become increasingly dependent on technology to improve the capacity to deliver and scale programs, engage with beneficiaries, and respond at speed to populations in need. They thus collect, manage and process large volumes of data electronically, including highly sensitive and personal information, often related to people in vulnerable situations – people who experience detention, ill-treatment, and torture, missing people or data held on individuals who could be considered persons of interest by some authorities or actors.

As a result, malicious actors are committing more and more cyberattacks on NGOs  to steal funding, exfiltrate data and/or to intentionally disrupt the ability of an NGO to operate with potentially devastating outcomes for vulnerable people dependent on these organizations.

Cyberattacks threaten NGOs’ operations and cause harm to vulnerable individuals

The harm caused to organizations that experience a cyber incident can be catastrophic – from exfiltrated and leaked data to disruption of systems and services, to  financial loss, the compromise of internal information and supply chain failures.

A few striking examples:

  • In January 2022, the targeted cyberattack against the International Red Cross Committee (ICRC) led to the compromise of personal data and confidential information on more than 515,000 vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.
  • The leak of KPAI (Indonesian Child Protection Commission) data in October 2021 included personal information of people who had filed reports on alleged child abuse cases, including bullying, kidnapping, violence against children and rape. The breach exposed the names of children and their guardians, underscoring their vulnerability to malicious actors in cyberspace.
  • In January 2020, Roots of Peace, an NGO with a mission to support vulnerable farmers by removing landmines and restoring agricultural farmland in Afghanistan, suffered a financial loss of US$ 1.34 million to threat actors who tricked the NGO into transferring money. This attack hampered the charity’s efforts to provide its assistance to conflict-affected people and at a time when their support was most needed during the harvest season in the country.

What we learn from these attacks

While these examples are non-exhaustive, several trends can be drawn from the data collected and analyzed by the CyberPeace Institute about the complex landscape of cyber incidents experienced by non profit organizations. Between July 2020 and June 2022, the CyberPeace Institute recorded 157 cases of cyber incidents impacting the not-for-profit sector, for which data was publicly available.

Digital and informational impact

This analysis offers insights that are indicative of the types of incidents and impact faced:

  • In 96 (61%) incidents the organizations issued a notification of the breach for the affected users, from which 89 (93%) incidents took place in the USA
  • In a minimum of 60 (38%) incidents personal data was exposed
  • In at least 28 (18%) incidents data was exfiltrated
  • In 45 (29%) incidents there were system disruptions and in a minimum of 8 (5%) incidents there were disruptions of services
  • In at least 32 (20%) incidents there was the unauthorized access or take-over of an email account

The highest number of cyber incidents (38) was recorded in human services such as adoption and children’s aid centers, community support services, rehabilitation facilities, and care centers helping the elderly and persons with disabilities. Healthcare services and medical disciplines (37 incidents), philanthropy (13 incidents), civil rights and youth development (each 11 incidents), and international affairs and security (10 incidents).

Types of cyberattacks

The Institute observed a wide range of malicious cyber threats in the past two years. The most common type of incidents included unauthorized access (56 incidents), supply chain attacks (18 incidents), data breaches (each 16 incidents) and ransomware attacks (36 incidents). Less frequent but still present were cases of hacking, phishing, spyware, distributed denial-of-service (DDoS) attacks, fraud and defacement.

Types of threat actors

Despite limited data to date, cyberattacks have been carried out by malicious actors including states or state-sponsored actors, criminal groups, ideological actors (so-called hacktivists), and others. From the 157 of the recorded cases, only twelve incidents – seven of them ransomware – have been linked to a threat actor through either technical, political or legal attribution or have been self-attributed by the actor themselves. There is an evident attribution gap due to the complexity of tracking and identifying the perpetrator of a cyberattack and the length of the attribution process.

Improving cyber resilience should be a priority

Many NGOs and not for profits do not have the budget, know-how, or time to properly secure their ICT infrastructure and develop a robust incident response system that could deal with a range of cyber incidents and attacks.

Cybersecurity posture and overall vulnerability of NGOs thus remains a problem. The Institute has observed this trend based on its practical support to NGOs as well as collected information. For example, among the 19 Swiss NGOs that joined the CyberPeace Builders program, a free cybersecurity assistance program, and that have completed their General Security Assessment (GSA), the average cybersecurity assessment score is 28 points out of 100. While the results are only illustrative and vary from one NGO to the other, the following conclusions can be drawn from the sample:

  • 11% of NGOs that completed the assessment had cyber insurance
  • 21% of NGOs backup and verify their data thoroughly. 68% of NGOs do only a partial backup of their systems/data
  • 5% of NGOs have Security Information and Event Management (SIEM) in place to monitor their devices/network
  • 21% of NGOs have two factor authentication (2FA) activated and implemented throughout all their platforms. 6 of them have it only partially implemented
  • 16% of NGOs have a limited incident response plan, and that is not always reviewed and updated
  • 53% of NGOs have next generation endpoint protection antivirus implemented
  • 5% of NGO had their staff trained and exposed to a simulated phishing exercise.
  • 21% of NGOs have partially trained their staff against cyber threats.
  • 26% of NGOs have a password manager in place
  • 5% of NGO partially monitor the dark web on an ad-hoc basis.

Conclusion

NGOs present a vulnerable target for malicious actors in cyberspace both because of their mission and their lack of cyber resilience. This exposes them to the risk and  negative consequences of cyberattacks, including the demand to pay a ransom in order to continue to carry out their operations and to ensure the needs of their beneficiaries. NGOs also face loss of funds, but also the secondary impacts on their operations because of the downtime, recovery time and costs to restore systems and services.  They also risk reputational harm and the loss of the trust and confidence of their beneficiaries, donors and other stakeholders. As a consequence, the essential services that NGOs provide may be severely impacted or even halted, limiting the help they can provide to people in need. Ultimately, the most vulnerable suffer.

NGOs must be able to focus on bringing programs, assistance and protection to those in need. The CyberPeace Institute is committed to working with NGOs to assist them to build their cyber resilience and to call for collective action to put a stop to cyber threats and attacks.

***

The CyberPeace Institute is an independent and neutral non-governmental organization based in Geneva which strives to reduce the frequency, impact and scale of cyberattacks, to hold actors accountable for the harm they cause, and to assist vulnerable communities. For more information, please visit: https://cyberpeaceinstitute.org/

 

Tags

Newsletter

Suivez l’actualité du secteur des fondations ! Dans la newsletter, nous présentons thèmes clés et discussions actuelles, nous analysons les développements juridiques et politiques et nous vous recommandons des publications et des formations.