Cybersecurity for NGOs: From “Boring, Not a Thing” to “We’d Better”

 Authors: Radu Moțoc, Natalia Șeremet, TechSoup Association 

In March 2024, Techsoup Association Romania organized the Cybersecurity Activator for NGOs, the first capacity-building event dedicated to cybersecurity in the nonprofit sector in the country. Throughout the online event’s nine thematic workshops, which were designed for people with any level of knowledge or practice in cybersecurity, over 200 participants representing 192 nongovernmental organizations explored essential topics, such as the security of remote work, password best practices, mobile-device protection, risks from artificial intelligence to data privacy, and social-engineering tactics.  

The Techsoup team learned unsettling facts from the participants. For 70% of them, this was their first event or structured discussion on cybersecurity. One-in-four reported at least one cybersecurity or digital-security incident having occurred over the previous 12 months, including infected computers, hacked social-media accounts, or blocked access to organizational data. 

Below are reflections based on what Techsoup learned from the event and its 14-year history of supporting NGOs in Romania and Moldova in making use of technology to better deliver on their missions.  

With our ever-increasing reliance on technology, cybersecurity has become a major global concern. The World Economic Forum’s Global Risks Report 2023 stated that “widespread cybercrime and cyber insecurity” would remain among the top ten risks in the next decade. Regardless of whether it is the work of an independent, financially motivated cyber-criminal or of a state-affiliated bad actor, a cyberattack happens every 39 seconds worldwide. The global cost of cybercrime is expected to reach $9.5 trillion in 2024 and $10.5 trillion in 2025.   

For the past three years, Microsoft’s Digital Defense Report has ranked NGOs and think-tanks among the top three sectors most targeted by cyberattacks. There are several reasons for why this sector appeals cybercriminals. 

Pressure to keep operational costs down is particularly strong in the sector. The typical NGO will prioritize program-related costs at the expense of operating costs. Cybersecurity costs usually get relegated to “overhead”, which sponsors and donors frown upon. Few resources for cybersecurity result in poor defenses against cyberattacks. Malicious actors are aware of this. There are cost-benefit calculations behind many cyberattacks and it makes sense to look for victims likely to be cheaper to compromise. It is for the same reason that small and medium enterprises tend to be targeted more than large ones. The poorer the defenses of an entity, the more inviting a target it becomes. 

NGOs are repositories of valuable data, including personal data such as financial information or highly sensitive data such as addresses, health records, or data indicating someone’s vulnerable status. This is extremely appealing to bad actors as this information can be sold on the dark web for identity theft or criminal purposes, or encrypted to extract ransom.   

Sometimes an NGO may be targeted simply due to being in the wrong place at the wrong time: a bad actor stumbles upon it and deems it to be the easiest entry point to potentially more interesting targets. From an attacker’s perspective, an NGO is part of a supply chain: it works with suppliers, partners, and institutional and individual donors. All of these will consider the NGO to be a trusted contact and are likely to lower their defenses when interacting with it. An NGO may thus be just an intermediary target in an attacker’s effort to get to a more profitable one.  

Finally, NGOs can be targeted because of the causes they support and the work that they do. The likes of human rights groups, public-interest advocates, investigative journalists, or supporters of victims of human trafficking can be targeted by cyberattacks seeking to extract information, to intimidate and compromise the NGO, or to inflict harm on its members and its wider community. Hate groups, organized crime groups, or even states can be behind such attacks, usually working via cyber-mercenaries or “hackers for hire” executing Advanced Persistent Threat (APT) attacks. Sophisticated operations are carried out over multiple stages, usually to extract information over time without getting detected.   

Since global enterprises and governmental institutions fall victim to APT attacks, it is very unlikely that an NGO has much of a chance to successfully counter such an operation. However, most cyberattacks targeting NGOs are not state-sponsored and will not reach APT-level sophistication.  

Nonetheless, it is time for the NGO sector to realize how big a target it makes itself by dismissing cyber-threats and to start taking cybersecurity seriously. It needs to start having more open conversations about its cyber-vulnerability and about the root cause: the lack of appropriate support for making NGOs secure.  

First, the organizational culture that treats IT and cybersecurity spending as “non-mission critical” costs must end. This borders on irresponsibility.  

In less severe types of cyberattacks, such as cryptojacking, the result is operational disruption, loss of productivity, and increases in running costs. In severe cases, such as ransomware attacks, the usual consequence is complete or quasi-complete organizational downtime. In ransomware cases, globally, the average downtime of successfully targeted companies is 22 days. Organizations also have to decide whether to pay a ransom: only 8% of businesses that pay ransom report getting back access to all of their data and law-enforcement agencies strongly advise against paying because it encourages cyber-criminals to continue. If they decide to pay, NGOs have to find the money and to justify the decision to their board and donors. Another very likely result is the theft of personal and financial data that is put up for sale on the dark web. And perhaps the most important consequence of a successful cyberattack is reputational damage and loss of public trust. An NGO simply cannot risk any of the above for the sake of keeping operating costs down.  

Second, private and public donors need to realize that cybersecurity and the upkeep of tech capacity are as imperative in the NGO sector as they are in the business or the public sector.  

That realization then has to be translated into how funds are allocated. Many grant applications templates still come with budget forms that bundle together hardware and software. But gone are the days when a grantee would purchase computers, operating systems, and software that it would use for several years. While hardware still typically qualifies as such capital expenditure, most software vendors—including in cybersecurity—have moved to the service-subscription model. Software costs have thus become regular, typically predictable, core costs, and should be treated as operational expenses. However, security software alone cannot do the job if NGOs use outdated computers and operating systems that go unpatched for months and thus leave the organization widely exposed to attackers.  

There is also the need for training, given that 95% of data breaches are the result of human error. Regular security awareness training for staff is essential to keep NGOs secure. With the omnipresence of remote/hybrid work and the use of personal devices to access organizational resources and data, a workforce following good security routines might be the best defense against cyber-threats.  

And finally, there is the need for expertise. It is unrealistic to expect that many NGOs will be able to hire and retain qualified IT and cybersecurity staff anytime soon, especially with the growing global demand for their skills. But they should be able to hire external consultants for initial assessments, for designing and implementing security measures, and for regular audits and expert advice. 

What all of the above entails, for donors, is a reconsideration of the practice of capping their support for NGOs’ operational expenses in favor of program-related costs, as well as of the way spending for general IT and for tech capacity-building are regarded in the context of NGO work.  

Cybersecurity, when done right, is 80% prevention, monitoring, and reducing and hardening an organization’s attack surface, compared to 20% detection and incident response. This balance is a good thing but it does not make for a catchy fundraising pitch. Nor is it something NGOs will consider as worthy of inclusion in their annual achievement reports. Viewed this way, cybersecurity may appear boring—but the same could be said about the seatbelts in a car.  

TechSoup Association supports NGOs, teachers, and civic professionals across Romania in accessing and understanding digital technology. The “Cybersecurity Activator for NGOs in Romania” project, supported by Engaging Central Europe in 2023–2024, was implemented under the PROTEUS program and co-funded by the European Union. The views and opinions expressed are solely those of the author(s) and do not necessarily reflect those of the Transatlantic Foundation (TF) or the European Union (EU). Neither the EU nor TF can be held responsible for them.