Cybersecurity for NGOs: A Practical Guide

The Unique Challenge of NGO Security

Non-governmental organizations face a security paradox: they handle extremely sensitive personal data — asylum seekers, trafficking survivors, unaccompanied minors — but typically have IT budgets a fraction of what commercial organizations spend.

This isn't just a technical problem. A data breach at an NGO can put vulnerable people at physical risk. When a refugee database is compromised, those people may face persecution, deportation, or violence. When we talk about cybersecurity for the third sector, the stakes are fundamentally different from protecting corporate trade secrets.

In 2024, the ICRC (International Committee of the Red Cross) revealed a sophisticated cyberattack that compromised data on over 515,000 highly vulnerable people — including separated family members and missing persons. This wasn't an isolated incident. It was a wake-up call for the entire sector.

The Threat Landscape

Who Targets NGOs?

• State actors — NGOs operating in conflict zones or advocating for human rights are targeted by government surveillance. Pegasus spyware has been found on devices belonging to human rights defenders in multiple countries
• Cybercriminals — Ransomware groups target organizations they perceive as likely to pay. NGOs with donor-funded operations feel pressure to pay ransoms to maintain program continuity
• Hacktivists — Organizations with controversial positions face ideological attacks, including DDoS, defacement, and data leaks
• Insider threats — High staff turnover, volunteer workforces, and operations in unstable environments create persistent access control challenges
• Supply chain attacks — Third-party software vendors and consulting firms become vectors to reach NGO data

Common Vulnerabilities We Find

After auditing dozens of NGO systems across Europe, Latin America, and Asia, these issues appear in nearly every engagement:

1. No centralized identity management — Staff using personal Gmail or Hotmail accounts for work, sharing passwords in spreadsheets or WhatsApp groups
2. Unpatched systems — Legacy software running years behind on security updates. WordPress sites with plugins that haven't been updated since 2021
3. No network segmentation — A compromised volunteer laptop on the office Wi-Fi gives access to the donor database, the beneficiary CRM, and the financial system
4. Weak access controls — Former staff retaining system access months or years after departure. Shared admin accounts used by multiple people
5. No incident response plan — When something goes wrong, nobody knows what to do, who to call, or what to preserve
6. Shadow IT — Staff using unauthorized tools (personal Dropbox, WhatsApp for case management) because official tools are inadequate
7. No encryption — Laptops without disk encryption, sensitive files sent via unencrypted email, USB drives with beneficiary data
8. Weak backup practices — Backups that haven't been tested, stored in the same physical location as the primary data, or not encrypted

Real Attack Scenarios

Scenario 1: The Spear-Phishing Attack An attacker researches an NGO's program staff on LinkedIn and sends a targeted email posing as a donor partner. The email contains a link to a "grant proposal" that installs a keylogger. Within days, the attacker has credentials to the beneficiary database.

Scenario 2: The Ransomware Event A volunteer connects a personal USB drive to an office computer. The drive contains ransomware that encrypts the file server, including 3 years of case management records. The NGO has no offline backup and faces a choice: pay the ransom or lose everything.

Scenario 3: The Insider Breach A disgruntled former employee who still has VPN access downloads the entire beneficiary database and leaks it to a hostile media outlet. The organization has no audit logs showing who accessed what.

A Practical Security Framework

You don't need a Fortune 500 security budget. You need the right priorities. Here's a six-month roadmap that works for organizations with limited IT resources.

Phase 1: Foundation (Month 1-2)

This phase addresses the most impactful vulnerabilities with minimal budget.

Multi-factor authentication (MFA) everywhere:

• This single step prevents approximately 80% of account compromise attacks
• Enable on all systems: email, cloud services, VPN, CRM, donor platforms
• Use authenticator apps (Google Authenticator, Authy), not SMS-based MFA
• Hardware keys (YubiKeys) for high-risk accounts: IT admins, financial officers, executive directors

Centralized identity:

• Migrate all staff to organizational accounts (Google Workspace or Microsoft 365)
• Implement Single Sign-On (SSO) for all web applications
• Create an offboarding checklist that includes immediate account deactivation
• Enforce strong password policies: 14+ characters, no reuse, password manager mandatory

Endpoint protection:

• Deploy endpoint detection and response (EDR) across all organizational devices
• Enable full-disk encryption: BitLocker for Windows, FileVault for Mac
• Implement automatic OS and software updates
• Create a device inventory — you can't protect what you don't know about

Backup strategy — the 3-2-1 rule:

• 3 copies of all critical data
• 2 different storage media (e.g., cloud + external drive)
• 1 copy offsite (geographically separated)
• Test restores monthly — a backup that can't be restored isn't a backup

Phase 2: Hardening (Month 3-4)

Network segmentation:

• Create separate VLANs for staff, volunteers, and guests
• Isolate servers containing sensitive data (beneficiary CRM, donor database)
• Implement a firewall between segments with strict rules
• Guest Wi-Fi should never have access to internal resources

Access control reviews:

• Implement the principle of least privilege — everyone gets minimum necessary access
• Quarterly audit: compare active accounts against current employee/volunteer roster
• Role-based access control (RBAC) for all systems
• Separate admin accounts from daily-use accounts

Vulnerability management:

• Monthly automated vulnerability scans (OpenVAS or Nessus Essentials)
• Prioritize patches by CVSS score: Critical and High within 7 days
• Track remediation progress — vulnerability found vs. vulnerability fixed
• Include third-party services in scope (WordPress plugins, SaaS integrations)

Email security:

• Configure SPF, DKIM, and DMARC properly — these prevent email spoofing
• Enable advanced threat protection for inbound emails
• Block auto-forwarding rules to external addresses (a common data exfiltration technique)
• Train staff to verify unusual financial requests through a second channel

Phase 3: Resilience (Month 5-6)

Incident response plan:

• Define clear roles: who leads the response, who communicates externally, who handles technical containment
• Create playbooks for common scenarios: ransomware, data breach, phishing compromise, lost device
• Include contact lists: legal counsel, data protection authority, law enforcement, insurance provider
• Practice tabletop exercises quarterly — walk through a scenario as a team

Security awareness program:

• Baseline phishing simulation to measure current susceptibility
• Monthly micro-trainings (5-10 minutes, scenario-based)
• Specialized training for high-risk roles: finance, IT, program directors
• Create a security champion network — one trained person per team

Log monitoring and detection:

• Centralize logs from all critical systems (firewalls, servers, cloud services, endpoints)
• Set up alerting for suspicious activity: failed logins, unusual data access, after-hours activity
• Retain logs for at least 12 months for forensic investigation
• Review alerts daily — an alert nobody reads is worse than no alert

GDPR/RGPD compliance:

• Data mapping: identify where all personal data is stored, processed, and transmitted
• Privacy Impact Assessments (PIAs) for high-risk processing activities
• Appoint a Data Protection Officer (DPO) — can be part-time or external
• Establish data subject rights procedures: access, rectification, erasure, portability

The Open-Source Security Stack

We advocate strongly for open-source security tools in the NGO sector. Here's a complete stack that replaces tens of thousands of euros in commercial licenses:

SIEM & Endpoint Detection: Wazuh

• Replaces: Splunk, CrowdStrike, Carbon Black
• Features: Real-time threat detection, file integrity monitoring, compliance auditing, vulnerability scanning
• Why for NGOs: Zero license cost, deploy on your own infrastructure, fully auditable code
• Deployment: Single server can handle 50-100 endpoints

Firewall: pfSense / OPNsense

• Replaces: Palo Alto, Fortinet, Cisco ASA
• Features: Stateful inspection, VPN, IDS/IPS, traffic shaping, captive portal
• Why for NGOs: Enterprise-grade protection without enterprise-grade pricing
• Deployment: Runs on commodity hardware or a dedicated appliance

Vulnerability Scanning: OpenVAS (Greenbone)

• Replaces: Nessus, Qualys, Rapid7
• Features: 80,000+ vulnerability tests, automated scanning, compliance checks
• Why for NGOs: Community edition is free and covers most needs
• Deployment: Docker container or dedicated VM

Log Management: ELK Stack (Elasticsearch, Logstash, Kibana)

• Replaces: Splunk, Datadog, Sumo Logic
• Features: Log aggregation, search, visualization, alerting
• Why for NGOs: Process millions of log events without per-GB pricing
• Deployment: Start with a single node, scale horizontally as needed

Password Management: Vaultwarden (Bitwarden compatible)

• Replaces: LastPass, 1Password business
• Features: Team password sharing, secure notes, TOTP generation
• Why for NGOs: Self-hosted, zero per-user cost, full data control
• Deployment: Single Docker container, minimal resources

Field Operations Security

NGOs operating in the field face unique challenges that don't apply to office-based organizations:

Device Security in Hostile Environments

• Use travel devices — separate laptops and phones that contain no organizational data beyond what's needed for the specific trip
• Enable remote wipe capability on all devices
• Use VeraCrypt hidden volumes for sensitive files — plausible deniability if devices are confiscated
• Brief staff on border crossing procedures: what to carry, what to leave behind, how to handle device inspections

Communication Security

• Signal for sensitive communications — end-to-end encrypted, minimal metadata
• ProtonMail or Tutanota for email in high-risk contexts
• Use VPN always, especially on hotel or café networks
• Establish duress codes — a pre-arranged word that signals "I'm being coerced"

Data Minimization in the Field

• Carry only the data you need for the specific mission
• Delete field data after secure synchronization to headquarters
• Use encrypted SD cards for media (photos, audio recordings)
• Never store beneficiary data on personal devices

Building a Security Budget

For NGOs that need to justify security spending to donors and boards, here's a tiered budget framework:

Minimal ($0-2,000/year)

• Google Workspace or Microsoft 365 (often free for nonprofits)
• Wazuh (free, self-hosted)
• OpenVAS (free, self-hosted)
• Vaultwarden (free, self-hosted)
• MFA with authenticator apps (free)

Moderate ($2,000-10,000/year)

• Everything above, plus:
• Professional vulnerability assessment (annual)
• Security awareness training platform
• Managed backup solution
• YubiKeys for critical staff

Comprehensive ($10,000-30,000/year)

• Everything above, plus:
• Dedicated security staff or fractional CISO
• Incident response retainer
• Penetration testing (annual)
• Dedicated firewall hardware
• Cyber insurance

Measuring Security Maturity

Track these metrics to demonstrate security improvement over time:

• MFA adoption rate — Target: 100% of staff
• Mean time to patch — Days from vulnerability disclosure to patch applied
• Phishing click rate — Percentage of staff clicking simulated phishing links
• Incident response time — Hours from detection to containment
• Account deactivation time — Hours from employee departure to account disabled
• Backup success rate — Percentage of backup jobs completing successfully
• Vulnerability remediation rate — Percentage of identified vulnerabilities fixed within SLA

Getting Started

If you're an NGO reading this and don't know where to start, here are the five things you can do this week:

1. Enable MFA on every system that supports it. Today. It's free, it takes minutes, and it's the single most impactful security measure you can implement.

2. Make a list of every system that contains personal data. You can't protect what you don't know about.

3. Check ex-employee access. Right now, go through your systems and deactivate any accounts belonging to people who no longer work for your organization.

4. Test your backups. Try to restore a file from your last backup. If you can't, your backup strategy is failing.

5. Start a conversation. Security isn't an IT-only responsibility. Bring it to the next leadership meeting.

The threats are real, but the solutions are achievable. Every step forward — no matter how small — reduces your organization's risk and better protects the people you serve.