The Introductory Guide to Cybersecurity for Civil Society Organisations (CSOs) 

 

(Alt Text: Black Android Smartphone On Top Of White Book)

 

The internet changed the course of history. It slammed into the world like a hurricane, knocking us off our feet. We interact with it, we coexist with it, and there isn’t a single aspect of human life that hasn’t been influenced by the adoption of digital tools, including the global growth of civil society organisations.

Consider social media, which has evolved into a potent advocacy tool worldwide. From the #Metoo movement in America to #ChessinSlums in Nigeria. Digital tools help civil society organizations achieve their goals much more quickly by putting them in front of a larger audience.

Unfortunately, digital tools do not come without drawbacks.

 

Digital Challenges Facing Civil Society Organisations 

 

With the good comes the bad, and digital tools are no exception. To put it simply, digital technology has enabled unprecedented levels of intrusive surveillance. Because of the increased use of technology, digital systems, and mobile phones, people and institutions are vulnerable to many threats, including account impersonation attempts, phishing attacks, and cyber-based corrupt financial transactions.

Unfortunately, these attempts to exploit flaws in technological systems have increased in frequency over time. And non-profit organizations and those working to improve civil society are particularly vulnerable as targets. Because for three major reasons:

1. Your access to sensitive data, such as clients’ and donors’ personal information. 
2. Your work exposes your organization to targeted harassment from individuals or groups who oppose its mission.
3. Many CSOs like yours operate on tight budgets. That is sometimes barely enough to complete projects, with very little left over for cybersecurity. 

Fortunately, the following practices can help your civil society organization combat these challenges and keep the threats at bay.

 

Top 3 Cybersecurity Best Practices for Civil Society Organisations

 

When it comes to cybersecurity, the general rule of thumb is to be proactive rather than reactive. We recommend using this principle to create a security culture in your organization that protects both employees and stakeholders.

 

These best practices include:

 

1. Conduct Regular ICT (Information Communication Technology) Audits

It would be best if you never relied on guesswork when it comes to your organisation’s ICT infrastructure. To truly understand where the vulnerabilities lie, an IT security audit of your current infrastructure (along with subsequent regular audits) is necessary. An IT security audit provides invaluable information about your security controls – strong points, vulnerabilities, and threats.

(Alt Text: Software Engineer Standing Beside Server Racks) 

Yes, risk management audits are uncomfortable because they expose all of your systems and strategies to an auditor’s scrutiny, but they are undeniably worthwhile.

The audit data will assist your organization in staying ahead of security breaches, insider threats, and other cyberattacks that can jeopardize your CSO’s reputation and finances. So, get used to ICT risk management audits.

Pro Tip: at the bare minimum, ensure you’re conducting audits at least once annually. Bonus points if one of these audits is conducted by an external auditor. 

 

         2. Prioritize Cybersecurity Education For Volunteers, Staff, and Other Stakeholders 

 

In the last few years, civil society organizations have witnessed an exponential increase in cyberattacks, data breaches, and even government-sponsored cyber warfare. The human factor is a major contributing factor (good or bad) in almost all of these incidents.

A lack of cybersecurity education for all involved with your organization increases the likelihood of security breaches and cyberattacks. Attacks which can erode stakeholders’ and the public’s trust in how your organization handles personal and sensitive information, as well as weakening confidence in the programs you deploy.

 

(Alt Text: Teach Doce Ornament On A Table) 

As a result, if your organization is serious about combating cyber threats, it is critical to prioritize education and awareness about digital security best practices for all those involved with your CSO: volunteers, staff, donors, clients, and members of the public.

Because while most people have a basic understanding of digital security best practices, that is about all they have. Without ongoing training, awareness, and knowledge testing, staff and stakeholder behavior is one of the most significant security risks your organization faces.

 

         3. Build a Healthy Digital Security Culture 

 

A healthy cybersecurity culture does not emerge by chance in any organization. It needs to be nurtured. In other words, a sustainable security culture is more than a single event; it is a lifecycle that generates security returns in perpetuity.

But how do you go about creating such a culture in your organization?

Sustainable security culture has four defining features:

1. It is intentional and disruptive: Because the primary goal of a security culture is to encourage greater security and change, it must be disruptive to your organization’s current way of doing things. The keyword here is organized chaos, which means that while we encourage disruption, it must be managed. How you shake things up must be deliberate – nothing should be left to chance.
2. It is fun and engaging: who says cybersecurity has to be boring and stuffy? Not us! Neither should your CSO. In general, people want to participate in a security culture that is equal parts challenging and enjoyable. 

 

(Alt Text: Two Yellow Emoji In A Yellow Emoji Case) 

Not sure how to go about this? 

We’ve got some ideas. Instead of a dull voice over a PowerPoint presentation, consider playing a game of security trivia. Or maybe schedule a meeting to catch up on security news – don’t be afraid to laugh and have fun.

3. It is rewarding: incentives make tasks more interesting. What better way to motivate your employees to invest their time and effort in CSO security than by offering rewards to encourage participation?

Look for opportunities to celebrate success. When someone completes a required cybersecurity program, celebrate them openly or offer something more substantial. Most people are highly motivated by a simple monetary reward. Alternatively, provide opportunities for team members to advance into dedicated security roles, which is a win-win all around. 

4. It generates a return on investment. The goal of security is to reduce your organisation’s vulnerabilities, which is what a healthy security culture does. However, the initial cost of doing so can be prohibitively expensive. But when you count the cost, the return on investment for preventing just one data breach far outweighs any upfront monetary discomfort.

What Next? 

The foundation of digital security and safety is complete understanding of how to safeguard information and data. However, it is only one component of the puzzle; the other is implementation. So, dive right in! 

 

If you need more help with your setup, we recommend reading our guide on data protection and privacy design and default. Alternatively, if your company requires a more comprehensive, customized online privacy protection plan that goes beyond the guidelines outlined in this article and the white paper, don’t hesitate to get in touch with us; we’d love to hear from you.