How can international organizations and NGOs  protect their data ?

International organizations and NGOs are involved in international development, humanitarian issues, human rights work, etc., often in relation to matters of life and death. They hold a vast amount of sensitive information, among them beneficiaries’ data (contact details, location, religion, gender, ethnicity, banking details, political aspects or health) but also donors’ data (private or public companies, individuals and states with banking information) and finally financial, third parties and employees’ information. These precious data make them ideal victims for cybercriminals;  easy targets who have a lot to lose.

How to protect NGOs most sensitive data?

I – Identification and classification of data

Before implementing any measures, it is essential to identify and classify data, including sensitive data types. The sensitivity levels will be determined by categories such as: public (information can be shared with the public), internal (information is made available company-wide but still considered internal and requiring protection), confidential and restricted (sensitive, such as beneficiaries’ and donors’ data).

On top of implementing security measures, international organizations and NGOs must comply with data protection standards/regulations. The largest NGOs are more likely to create their own data protection policies. For example, UNHCR (United Nations High Commissioner for Refugees) have their “Policy on the Protection of Personal Data of Persons of Concern to UNHCR” that is consistent with the UN General Assembly’s Guidelines and other international instruments concerning the protection of personal data and individuals’ privacy. Most policies are often in line with GDPR.

II - Measures to protect sensitive data

Once the sensitive data have been identified, localized and assessed, the next step is reinforcing fundamental measures to protect them. In addition to known infrastructure security components (Servers, Firewall, WAF, Proxy, etc.), a wide range of measures cover several Data Protection aspects:

• Multi-factor authentication (MFA), which uses two or more authenticators (e.g. biometrics, OTP, password), is now the standard for securing web applications.
• Regular renewal of passwords and strong password policy (minimum length, history size, interval of password change, complexity of password, number of wrong authentication attempts before the automatic account lock-out).
• Review user access periodically to ensure that only authorized people gain access to the resources they are entitled to view.
• For specific data and scenarios, anonymization, an irreversible transformation to ensure that the data can no longer be attributed to specific initial information, or pseudonymization can help achieve the expected level of protection.
• To maintain the viability of NGOs, sensitive data (e.g. beneficiaries data) must stay confidential. Both data at rest and in transit must be protected by vetted and secure encryption techniques and protocols that secure communication (e.g. TLS). Primitives such AES-GCM, AES-CCM modes of operation or Chacha20 Poly1305 stream cipher ensure that data is protected from unauthorized parties and unauthorized modification.
• Further, it is possible to use a Data Loss Protection (DLP) solution to decrease the loss of sensitive information that occurs in an enterprise by focusing on the location, classification and monitoring of information at rest, in use and motion.

It is important to keep in mind that these security measures to protect data must be proportional to their sensitivity and that even with these measures in place, there is still some risk.

How can ELCA help?

Data protection is a must-have for International Organization and NGOs. To help them with security challenges, ELCASecurity and Senthorus, the two new entities created by ELCA, cover the entire cyber journey and offer all the required services, mechanisms and processes to ensure data confidentiality, integrity, and availability. In addition and as a MSSP (Managed Security Service Provider), ELCASecurity and Senthorus can support international organizations and NGOs from the definition of their security strategy to their incidence response management.