Nobody is safe on the Internet nowadays, as hackers don’t discriminate when choosing their victims. A clear example of that is their relentlessness in targeting enterprises activating in the sphere of social change, namely non-profit organizations (NPOs) and non-governmental organizations (NGOs).
While cases of cyberattacks in this industry have been on the rise lately due to the COVID-19 pandemic, the concept is not a new one. In the following lines, I will provide you with an overview of how NPOs and NGOs handle their cybersecurity, as well as briefly discuss a history of hacking events that involved them.
Finally, I will discuss the five Ps of cybersecurity for non-profit and non-governmental organizations, a series of essential considerations to keep in mind. So, if you’re interested in enhancing your NGOs online defenses, then keep on reading.
An Overview of Cybersecurity in NPOs and NGOs
Non-profit organizations and non-governmental organizations alike depend on information technology to manage their affairs. What is more, a large part of the data they handle can be classified as sensitive because it deals with social and charitable causes. This creates a strong demand for advanced cybersecurity in the field, but alas, do these enterprises actually practice it?
As per the findings of a report published by the Institute for Critical Infrastructure Technology (ICIT), more than 50% of the respondent NPOs and NGOs had experienced a ransomware attack. Furthermore, while 51% confirmed that they had a specifically designated unit or person in charge of cybersecurity, 49% did not.
Out of the 49% represented by organizations without an explicit cybersecurity focus, only 11% answered that they had plans to implement an online defense system in the following 6 to 12 months. However, a whopping 86% did not have such a plan in place.
This comes as no surprise, as NPOs and NGOs are heavily reliant on donor funding. The vast majority of aids are directed towards humanitarian relief actions, which does not allow them too much leeway in implementing a cybersecurity infrastructure.
Unfortunately, this creates a myriad of network vulnerabilities that hackers can exploit. In the following section, I will discuss some of the most notorious cyberattacks conducted against non-profit and non-governmental organizations in recent history.
Major Cyberattacks Against NPOs and NGOs
Cozy Bear and the Dukes
The first series of cyberattacks on non-profit and non-governmental organizations I want to discuss are those perpetrated by Cozy Bear and the Dukes. This might sound like the name of a really cool underground indie band, but I assure they put on a DYI show you won’t want to attend.
Following the 2016 presidential elections in the United States, two Russian hacker groups known as Cozy Bear and the Dukes launched an obstinate spear-phishing campaign against several American NGOs and think tanks.
With cajoling titles such as “The ‘Shocking’ Truth about Election Rigging” and an “FYI” notice sent under fake Clinton Foundation branding, hackers encouraged victims from these organizations to download a malware file. Once the Microsoft .lnk made its way on a computer, it activated the PowerDuke Backdoor program and turned the target machine into a botnet zombie.
The Bronze President Case
At the beginning of 2020, Security Week reported that a Chinese hacker group operating under the moniker BRONZE PRESIDENT has been uncovered to target NGOs across South and East Asia since 2014. A prolific cyber-espionage rink, BRONZE PRESIDENT used both public and proprietary tools to monitor said organizations, as well as steal their data and discredit them regularly.
Through custom batch scripts, the group had collected files from the targeted NGOs for years. What is more, they got their hands on credentials from sensitive and high-privilege network accounts. Hackers primarily pursued establishments that conducted research related to Chinese interests in countries such as Mongolia and India.
This led cybersecurity experts to believe that the group was either funded or at least tolerated by the Chinese government. Nonetheless, their actions did not seem to align with those of typically patriotic cybercriminals, which is why this hypothesis has yet to be verified.
The Blackbaud Incident
Sometimes, cyberattacks don’t target the organizations they want to breach individually. Instead, malicious actors focus their efforts on a third-party supplier that would allow them to hit multiple data sets with one stone. That’s exactly what happened in the first half of 2020 when cloud computing software provider Blackbaud was hacked as part of an intricate ransomware incident.
Blackbaud famously supplies the social good niche, which is comprised of non-profits, foundations, healthcare organizations, educational institutions, and individual agents of change. The company has over 45,000 working in the humanitarian field, and at least 200 US-based and 63 UK-based establishments in this category were affected by the ransomware attack. Famous names include Save the Children, CARE Canada, Partners in Health, World Vision, and the Human Rights Watch.
While it is speculated that the attack started around February 2020, it wasn’t detected until May and the information was made public in July of the same year. Blackbaud, as well as its affected clients, remain vague about the extent of the damages that hackers inflicted on their data.
The Big Boys Aren’t Alright
If the Coronavirus crisis has taught us anything in terms of cybersecurity, it’s that the reputation and size of an organization can’t protect it from the nefarious meddling of hackers. Malicious actors have been preying on our collective fears surrounding COVID-19 ever since the initial days of the outbreak, and the non-profit niche is no different.
The month of April 2020 came with an increase in cyberattacks directed towards renowned NGOs, such as the Mercy Corps and the International Federation of Red Cross and Red Crescent Societies. Even the World Health Organization (WHO) was unsuccessfully targeted by a complex phishing scam that impersonated the United Nations emailing system. All of these things had one thing in common: profiting off of the Coronavirus-related worries of employees.
As per a statement given by Mercy Corps chief information officer Michael Boeglin for the Devex media platform via email,
We have definitely noticed an increase in cyberattacks and phishing attempts since many of our team members around the world have switched to working remotely. Attackers are taking advantage of the fear, confusion, and stress that people are experiencing during the pandemic by sending phishing, smishing [fraudulent text messages], and other types of attacks designed to capitalize on these fears. They know that people are distracted, seeking information from multiple sources, and generally more vulnerable at times like these.
Jagan Chapagain, the secretary-general for the Red Cross, identified two main reasons for the spike in attacks. According to him, hackers are either interested in the financial aspect that comes along with handling donations, or they want to have a good time in lockdown as they “have plenty of time to experiment with their skills.”
Cybersecurity Considerations for NPOs and NGOs
#1 Perform a Cybersecurity Audit to Identify Vulnerabilities
The first step in improving your organization’s cybersecurity is to perform an audit. This will help you not only identify vulnerabilities in your network and workflow but outline efficient strategies to combat them as well.
Your first option here would thus be to conduct an internal cybersecurity audit by centralizing data gathered from employee tracking software and user activity monitoring. This will allow you to get a better feel of what’s going on behind closed doors, as well as:
- determine the state of your organization’s security,
- corroborate a set of cybersecurity regulations,
- and enforce the appropriate standards and best practices.
If you are not satisfied with the extent of your company’s resources when conducting a cybersecurity audit, there is also the option of contracting a third-party professional to do it for you. This is known as an external cybersecurity audit. Are you interested? Then don’t hesitate to book a free cybersecurity consultation with us by reaching out at [email protected].
#2 Provide Your Staff with Cybereducation Seminars
Human error is still the leading cause for cyberattacks, with an incident tally situated at 60%. Simply put, untrained staff might be one of your biggest security liabilities at the moment. Nevertheless, this gap can be managed with cybereducation seminars where employees can learn how to practice online safety and identify threats.
Holding regular cybersecurity training sessions will help your personnel:
- identify malicious links and attachments in emails,
- recognize attempts to impersonate companies or contractors,
- practice safe browsing and avoid suspicious websites,
- apply BYOD best practices to limit exposure,
- and understand their responsibility towards your organization’s data.
These aspects can all be learned and discussed internally, but it is always a good idea to consult an expert when in need. Investing in proper cybereducation for your non-governmental organization might seem strenuous, but it will pay off tenfold in the long run.
#3 Put an Organization-Wide Password Hygiene Policy into Effect
While it is true that password management falls under the cybersecurity education category, it deserves its own subsection. As I mentioned some paragraphs before, hackers that attack NPOs and NGOs just can’t get enough of stealing login credentials.
This is where a password hygiene policy comes into play. A strong password should:
- contain both uppercase and lowercase letters,
- plus a few numbers and symbols,
- and be changed regularly so that any stolen credentials become obsolete,
- but not according to a fixed calendar that malicious actors can learn.
Yes, you read that right, hackers can actually find out if you switch up passwords on a schedule and use that against you with cleverly timed attacks. Therefore, informing staff on what the best password management practices are is essential for them to achieve comprehensive cybereducation training.
#4 Practice the Principle of Least Privilege (PoLP)
While creating strong passwords and changing them up every once in a while will offer your organization some degree of protection, it is by no means a failsafe approach. Therefore, the next step in your holistic approach to cybersecurity should be to limit access. In this way, even if a hacker gets into your network, it won’t manage to infect all devices in it.
The way to achieve this is by practicing the principle of least privilege, which implies that every employee will have only the minimum access rights required to perform their tasks. Nevertheless, this can become time-consuming for your NGOs network admin, which is why I recommend using a privileged access management (PAM) solution in tandem with PoLP.
Heimdal’s own Thor AdminPrivilege™ is an intuitive PAM solution that will assist your network admin in managing user access. Not only does it allow for the easy escalation of rights for a fixed amount of time, but it also performs an automatic de-escalation upon the first sign of a cyber-threat. It is the only solution of its kind that provides the latter benefit, as it works in tandem with our prevention and detection tools, as well as any others you might already own.
System admins waste 30% of their time manually managing user rights or installations.
is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
#5 Protect Your Assets with a Complete Cybersecurity Suite
Speaking of Heimdal’s prevention and detection tools, the fifth and final step for a holistic cybersecurity approach in non-profit and non-governmental organizations is to cover all your grounds. PAM can only take you so far on the safety scale, which means that it’s time to plan ahead.
Our core offering of Thor Foresight Enterprise detects and protects against ransomware and other threats at the levels of the DNS, HTTP and HTTPs. What is more, its advanced AI and machine learning technology spot even the best hidden APTs. When combined with our Thor Vigilance Enterprise next-generation antivirus, you get Thor Premium Enterprise, a full endpoint detection and response solution.
To Sum It All Up…
Hackers have no problem with targeting social change-oriented organizations with their cybercrime sprees. Keep your NGO’s valuable private data out of their hands through a holistic cybersecurity approach that relies not only on tools, but educational resources as well. As it is always the case with cyberattacks, prevention is the best medicine. Reaction should only be your last resort.
Has your non-profit or non-governmental organization been targeted by a ransomware attack or any other type of threat? Let me know in the comments below. As always, I look forward to any suggestions, questions, and concerns you might want to share with the Heimdal Security team.