NGOs and humanitarian nonprofits depend on digital communication technologies and software to coordinate their missions worldwide. In particular, organizations working in humanitarian aid need these technologies to perform operations such as data collection, classification, and analysis.
Security threats are not a new issue for NGOs. Delivering aid to those in need is already risky in regions where wars continue or harsh climatic conditions prevail. But reliance on technology has introduced a new threat and security challenges: cyberthreats.
Motivations Behind Cyber Attacks Against NGOs
NGOs and humanitarian organizations provide assistance and protection, raising over $30 billion annually. This budget is seen as a highly lucrative business opportunity for threatactors. NGOs that are not subject to strict security measures, such as large corporations or government affiliates, become targets from which they can profit with far less effort. Funds from around the world also make this field an inexhaustible resource.
It is quite normal that the ransomware and cybercrime trend, which has increased significantly all over the world, also reflects on NGOs. Research shows that close to 50% of these organizations are targeted.
These organizations, which aim to help communities with issues such as environmental problems, access to education, health, water, and food, are being attacked by cyber-attacks for various reasons.
- Prevent them from carrying out their activities
- Accessing data about stakeholders
- Stealing funds, sensitive data, and information
- Spreading malicious and politically engaged messages by hijacking or misusing the identities of people in key positions
- Running or assisting disinformation campaigns
Known Recent Attacks
In May 2021, Volunteer Service Abroad (VSA), New Zealand’s largest volunteering organization, was the victim of a ransomware attack. Its vital data was encrypted, and much of it was lost. Although VSA’s refusal to pay ransom to threat actors caused this huge loss, the organization has taken significant measures to ensure that a similar cyber incident does not happen again.
Another victim targeted by the attackers was the nonprofit healthcare organization Scripps Health. Due to a security breach in his system, it went offline and had to suspend its activities.
Another ransomware attack in the US in December 2020 again demonstrated that threat actors are disregarding the well-being of society. When close to 6 million Americans were dependent on food aid due to Covid-19, a US$1 million attack took place on a food bank in Philadelphia.
Attackers regularly target NGOs by combining spearphishing and identity theft. Because of this and similar events, Save the Children lost $1 million in 2018. Roots of Peace suffered a loss of US$1.3 million in 2020.
How Can NGOs Protect Themselves From Possible Cyber Attacks?
Most cyber-attacks occur by exploiting specific vulnerabilities or carelessness. NGOs providing more training to their employees on cybersecurity awareness is the most effective weapon in reducing potential threats. On the other hand, not all NGOs may have the resources to create their cyber security team.
NGOs can refer to these tips to reduce the risk of cyber attacks:
- Protect critical data: Secure the data of donors, employees, and beneficiaries against potential data theft. Failure to obtain non-essential information (Social Security number, birthday, bank account) from donors can also be considered within this scope.
- Inform donors: Provide donors with adequate information about fraud risks. Show them how to donate safely.
- Beware of phishing:Phishing is the primary infection vector for ransomware attacks. Do not trust suspicious emails or social media mentions.
- Train your team: The best way to protect your funding against attacks like CEO fraud is to provide cybersecurity training to employees.
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access.