How can international organizations and NGOs  protect their data ?

21.03.2022

According to the CyberPeace Institute, NGOs are often the victim of cyberattacks, with over 50% of NGOs reporting being targeted and 86% lacking cybersecurity plans.

expert
Mei Yang
Head of International Organizations

International organizations and NGOs are involved in international development, humanitarian issues, human rights work, etc., often in relation to matters of life and death. They hold a vast amount of sensitive information, among them beneficiaries’ data (contact details, location, religion, gender, ethnicity, banking details, political aspects or health) but also donors’ data (private or public companies, individuals and states with banking information) and finally financial, third parties and employees’ information. These precious data make them ideal victims for cybercriminals;  easy targets who have a lot to lose.

How to protect NGOs most sensitive data?

 

I – Identification and classification of data

Before implementing any measures, it is essential to identify and classify data, including sensitive data types. The sensitivity levels will be determined by categories such as: public (information can be shared with the public), internal (information is made available company-wide but still considered internal and requiring protection), confidential and restricted (sensitive, such as beneficiaries’ and donors’ data).

On top of implementing security measures, international organizations and NGOs must comply with data protection standards/regulations. The largest NGOs are more likely to create their own data protection policies. For example, UNHCR (United Nations High Commissioner for Refugees) have their “Policy on the Protection of Personal Data of Persons of Concern to UNHCR” that is consistent with the UN General Assembly’s Guidelines and other international instruments concerning the protection of personal data and individuals’ privacy. Most policies are often in line with GDPR.

 

II - Measures to protect sensitive data

Once the sensitive data have been identified, localized and assessed, the next step is reinforcing fundamental measures to protect them. In addition to known infrastructure security components (Servers, Firewall, WAF, Proxy, etc.), a wide range of measures cover several Data Protection aspects:

  • Multi-factor authentication (MFA), which uses two or more authenticators (e.g. biometrics, OTP, password), is now the standard for securing web applications.
  • Regular renewal of passwords and strong password policy (minimum length, history size, interval of password change, complexity of password, number of wrong authentication attempts before the automatic account lock-out).
  • Review user access periodically to ensure that only authorized people gain access to the resources they are entitled to view.
  • For specific data and scenarios, anonymization, an irreversible transformation to ensure that the data can no longer be attributed to specific initial information, or pseudonymization can help achieve the expected level of protection.
  • To maintain the viability of NGOs, sensitive data (e.g. beneficiaries data) must stay confidential. Both data at rest and in transit must be protected by vetted and secure encryption techniques and protocols that secure communication (e.g. TLS). Primitives such AES-GCM, AES-CCM modes of operation or Chacha20 Poly1305 stream cipher ensure that data is protected from unauthorized parties and unauthorized modification.
  • Further, it is possible to use a Data Loss Protection (DLP) solution to decrease the loss of sensitive information that occurs in an enterprise by focusing on the location, classification and monitoring of information at rest, in use and motion.

It is important to keep in mind that these security measures to protect data must be proportional to their sensitivity and that even with these measures in place, there is still some risk.

 

How can ELCA help?

Data protection is a must-have for International Organization and NGOs. To help them with security challenges, ELCASecurity and Senthorus, the two new entities created by ELCA, cover the entire cyber journey and offer all the required services, mechanisms and processes to ensure data confidentiality, integrity, and availability. In addition and as a MSSP (Managed Security Service Provider), ELCASecurity and Senthorus can support international organizations and NGOs from the definition of their security strategy to their incidence response management.

Contact: Mei Yang

By continuing to browse this site, you accept the use of cookies or similar technologies whose purpose is to produce statistics on visits to our site (tests and measurement of visitor numbers, visit frequency, page views and performance) and to offer you content and promotions which will be of interest to you.

Our cookie policy has been updated. Please feel free to manage your preferences.

close
save

Manage your cookie preferences

Update your cookie preferences

Find out about the type of cookies stored on your device, accept or block them for the entire site, all services or on a service-by-service basis.

OK, accept all

Disable all

Visitor flow

These cookies provide us with insight into traffic sources and allow us to better understand our visitors anonymously.

(Google Analytics and CrazyEgg)

New

Sharing tool

Social media cookies allow content sharing on your preferred networks.

(ShareThis)

New

Visitor understanding

These cookies are used to track visitors across websites.

The intention is to enable us to offer more relevant, targeted content to existing contacts (ClickDimensions) and display ads that are relevant and engaging for users (Facebook Pixels).

 

New
For more information about these cookies and our cookie policy, click here