Altruism under attack: why cybersecurity has become essential to humanitarian nonprofits

Humanitarian initiatives have always been of huge global importance, but perhaps never more so than over the past few years. The impacts of the COVID-19 pandemic, unprecedented shifts in weather patterns limiting resource availability and triggering mass migration, Russia’s invasion of Ukraine, and some of the largest rises in living costs for decades have all brought new urgency to the vital support humanitarian work (often led by nonprofits) provides those in need.

However, nonprofits engaging in humanitarian efforts are finding themselves faced with increasing cybersecurity risks and challenges that threaten their ability to provide relief successfully, safely, and securely. As a result, cybersecurity is increasingly playing a vital role in the future of the nonprofit-led humanitarian landscape.

Under siege by complex threats

Nonprofits and the wider humanitarian sector face increasing cybersecurity risks and challenges. “Many humanitarian and nonprofit organizations started their digital transformation later than most other entities. The increasing use of digital technologies to deliver services and programs for their beneficiaries means that their cyberattack surface has recently increased,” Stéphane Duguin, CEO of the Cyberpeace Institute, an independent and neutral organization committed to assisting humanitarian firms to prepare against cyberattacks, tells CSO. This is a challenge for such organizations, primarily as they find it more difficult to attract and retain cyber talent “first and foremost for financial reasons, whilst at the same time grappling with increased technological complexity and legal matters, on top of numerous legacy and third-party dependencies. These challenges often lead to poor cybersecurity practices and, in turn, an increasing number of successful cyberattacks against them.”

Many of these attacks are financially motivated and the CyberPeace Institute sees many nonprofits falling prey to automated attacks that could have been easily avoided with basic security controls, Duguin says. “In some attacks, nonprofits are not specifically targeted, they are just caught in criminal nets who frequently do not even own the attack infrastructure they use – they only rent it to others.” With the advent of ransomware, criminals are increasingly able to monetize network access by encrypting critical data such as healthcare records and the asking nonprofits to pay a ransom to get their access back to the data. “As a result, we see a number of nonprofits turning to cyber insurers – which is good to protect donor funds, but not the first measure we recommend to strengthen cyber resilience,” Duguin adds.

Cyber insurance claims up 57%

Interestingly, Coalition’s 2022 Cyber Claims Report mid-year update discovered that, while the first half of 2022 saw a slight decrease in both the severity and frequency of cyber claims among policyholders compared to the previous year, there was a staggering 57% increase in claim frequency among nonprofits.

As for financially motivated cyberattacks that specifically target nonprofits, these are often triggered by the fact that not only do they manage large sums of donor money – which is of significant interest to cybercriminals – they also run critical services to vulnerable communities and in doing so typically manage sensitive personal data, Duguin says. “Threat actors try to disrupt such services and to exfiltrate data. This is where the asymmetry between the resources to attack and those to defend against cyberattacks is the starkest.”

Attacks impact those helping world’s most vulnerable

When nonprofit and humanitarian organizations are breached and come under cyberthreat, the effects are not only felt by the businesses themselves, but often also by the world’s most vulnerable people. “Attacks can cause disruption in some already precarious situations. Sometimes the money that is used to pay ransoms can be donations that didn’t go to providing the assistance the victim was chartered to provide. In worst-case scenarios, political dissidents and other protected individuals can be exposed and potentially killed, causing hesitation and silencing important voices,” says Alex Applegate, senior threat researcher at DNSFilter, a cybersecurity company that formed the Ukraine Strong Tech Vendor Coalition initiative earlier this year to provide technology and financial support to Ukraine amid Russia’s invasion of the nation. Misinformation and disinformation campaigns may gain extra strength since they are hosted on trusted webpages while undermining the trust in those organizations and their future services, he adds. “Also at great risk are charitable foundations. If a foundation’s information is compromised, donors may be reluctant to continue to support a cause and potentially risk exposing themselves again, and it isn’t beyond consideration to reflect on what the attacker is using those funds and records for, either.”

Security partnerships are key

Partnerships between technology companies and the public and social sectors are vitally important to improve the cybersecurity of nonprofit-led humanitarian endeavors, Erin Baudo Felter, VP social impact and sustainability at cybersecurity vendor Okta, tells CSO. This is an area where promising work is now underway. In September, NetHope, a consortium of global nonprofits driving to solve development, humanitarian, and conservation challenges; the United States Agency for International Development (USAID), an independent agency of the US federal government responsible for administering civilian foreign aid and development assistance, and Okta announced a memorandum of understanding for establishing a new Information Sharing and Analysis Center (ISAC) committed to supporting the increase of cybersecurity shared services and tools for the humanitarian sector. The CyberPeace Institute also announced its support for the initiative.

Once established, the ISAC will enable host governments, donors, technology companies and other trusted providers to support the spectrum of information security needs of nonprofit agencies and the world’s most vulnerable communities. The companies involved said the initiative will act as a force multiplier that brings contextually sensitive expertise into one platform to drive efficiency, reach and digital impact to those they serve. It has been designed to support each nonprofit member’s primary focus area and factor in geopolitics, digital ethics, and disinformation risks, identifying cyber risks and suggesting remediations, providing training and advice to staff on cybersecurity and threat response, and delivering tools and technology to receive and react to threats.

A space for nonprofits to engage with experts

“Information sharing commitments like this provide a space for nonprofit organizations to voice their needs and for companies to listen and respond,” says Baudo Felter. “When we also bring governments and institutional funders to the table, we open up opportunities to advocate for even bigger support.” The goal for the technology sector is to avoid looking at civil society as simply another buyer of products, but rather to understand the challenges and identify the resources they can bring to bear to support a stronger social sector, she adds, with particular focus on:

• Ensuring that the expertise of teams benefit more than just immediate networks of customers and partners.
• Making products accessible for civil society organizations, easier to use, and trustworthy/secure.
• Encouraging corporate support to take on more risk than most traditional funders which means an obligation to step up first to support new and innovative approaches, such as NetHope’s Humanitarian ISAC.

“A few decades ago, when industry found itself coming under threat from cyber breaches, ISACs were the response,” says Lance Pierce, CEO of NetHope. “Industry-formed ISACs made up of information security professionals who routinely shared information and got feedback on things they were observing in their networks. When your software is telling you that ‘everything is fine’ it is often only the seasoned professionals sitting down to share and inform with trusted peers in a secure channel who can identify that there is a problem. The humanitarian and development sector doesn’t yet have an ISAC, but the NetHope Global Humanitarian ISAC aims to fill that void.”