At a time where cyber threats are constantly evolving, nonprofits face unique challenges in ensuring the continuation of their life-saving operations, safeguarding their digital assets, and maintaining the trust of their stakeholders. An increasing number of civil society organizations (CSOs) have started to report being the target of cyberattacks – yet these organizations lack the awareness and technical capacities to address cybersecurity requirements. The CyberPeace Institute recognizes the need of CSOs for cybersecurity. Created in 2019, the Institute delivers free cybersecurity assistance to more than 200 CSOs from around the world through its flagship program – the CyberPeace Builders.
To assist in identifying the cyber risks they face, and ensure the appropriate provision of solutions, the Institute developed the General Cybersecurity Assessment (GCSA), a comprehensive, self-assessment tool designed to help CSOs evaluate their own cybersecurity maturity level, while comparing it to industry standards and peers. Since 2021, the tool has undergone continuous improvement based on the feedback and needs identified together with the CSOs participating in the CyberPeace Builders program, as well as the ever-changing cybersecurity threat landscape.
Yet another security assessment?
Fortunately, several similar cybersecurity assessment tools for CSOs exist and are publicly available for these organizations. In building the GCSA, we checked many, including Ford Foundation’s Cybersecurity Assessment Tool (CAT), TechSoup’s Digital Assessment Tool, SafeTag, TechImpact’s Expert Guided Security Assessment, and the UK’s CyberEssentials Readiness Toolkit, to mention but a few. We also check non-cyber digital assessment tools, like Data.org’s Data Maturity Assessment.These tools are instrumental in assisting CSOs to increase their digital security awareness and identify risks. The rationale for the CyberPeace Institute to create another assessment, the GCSA, was to leverage its results to help CSOs address identified security gaps through volunteers, via our CyberPeace Builders program. Tailored for busy non-technical professionals, but still rooted in the NIST Cybersecurity Framework, the GCSA consists of 9 categories with a total of 30 questions. Each question is connected to at least one of the 34 missions available within the CyberPeace Builders program, ranging from awareness training and policy development to more technical missions, such as website vulnerability scanning.
The GCSA in practice
This self-assessment takes less than 20 minutes to complete. As CSOs often lack a single point of contact for cybersecurity, the tool was designed in such a way that different staff members from the organization could provide input. After completion, the organization receives a two-page final report containing a color-coded matrix, as illustrated in Figure 1 below. This simplistic, colorful summary, suggested to us by one of our volunteers running a small MSSP, helps capture senior management’s attention, which helps with decision-making.
In addition to the results matrix, the CSO receives a breakdown of their score, how their organization compares with the others in the CyberPeace Builders program, and a list of the top five missions we recommend they do with our volunteers.
From assessing to building capacity
For instance, if an organization is scoring relatively low on the Cybersecurity Awareness front, they would be recommended to conduct an awareness training session or a phishing exercise with one of the volunteers. If they don’t use a password manager or did not implement multi-factor authentication, our volunteers will offer to look on the dark web for leaked credentials, and spend time explaining the risks and how to do better on the Identity and Access Management (IAM) front.
Furthermore, the GCSA is not a one-time only evaluation. It offers CSOs the opportunity to track progress. CSOs have the flexibility to undertake the assessment when they join the CyberPeace Builders program, providing an initial snapshot of their cybersecurity maturity at that point in time. However, additional value emerges when they choose to revisit the assessment six months into the program.
In March 2022, a Geneva-based nonprofit working to improve the experience of pregnant women postpartum, joined the CyberPeace Builders program. The results of the assessment indicated a very low level of cybersecurity (overall score: 6 points out of 100), with entire security controls missing. However, according to the nonprofit, the assessment was very informative, as it allowed them to identify a starting point to work on without “getting lost” into the vast domain of cybersecurity. This starting point was an awareness training session, which equipped all their staff with extensive knowledge on why cybersecurity is important for them as an organization. Shortly after, a vulnerability scan of the app they developed to assist women postpartum was conducted by a volunteer, then another expert assisted them to review the code of their app to further strengthen it.These are just some of the initial missions the nonprofit identified after conducting the GCSA.   Fast forward one year later, the nonprofit decided to conduct a second evaluation of their cybersecurity. The second assessment allowed them to visualize the great progress they have made since joining the program (overall score: 78 points out of 100). After doing the first assessment, the nonprofit understood how important cybersecurity is for them and has mobilized its resources to invest in cybersecurity. In this time, the nonprofit has also hired their own cybersecurity expert for the organization. Therefore, regular assessments enable nonprofits to stay ahead of emerging risks, ensuring that their cybersecurity strategies remain adaptive and effective. Additionally, the ability to track progress enhances transparency and accountability, fostering a culture of continuous improvement within the organization. It transforms the assessment from a mere snapshot locked in time into a dynamic tool for organizational growth and digital security. |
Agile development
So far we have reviewed the GCSA every year to ensure consistency with the NIST framework, and emerging threats. For instance, in our last review, we added a question on the secure usage of generative AI. Doing this ensures the tool incorporates the latest insights into emerging cybersecurity threats and best practices.
We have also realized that for many CSOs, a 30-question assessment can feel like too much. To lower this first step into the world of cybersecurity, but also to engage the conversation at in-person events such as security conferences, we created the Essential Cybersecurity Assessment (ECSA). It is a 3-minute version, composed of only 9 questions, identified as top priority for nonprofits, resulting in 3 critical missions to be taken with volunteers.
What’s next?
The GCSA serves as an essential tool to evaluate and enhance the cybersecurity posture of CSOs. Tailored for non-technical users and grounded in the NIST Cybersecurity Framework, it not only helps identify cybersecurity weaknesses but also tracks improvement over time. But it is just a first step. You can’t improve what you can’t measure, said Peter Drucker. The GCSA’s ultimate goal is to pave the way towards digital resilience, to make the nonprofit sector the most secure in the world.