In the dark side of cyberspace, ransomware and cybercrime is on the rise. Recent ransomware attacks on the Colonial Pipeline by the hacking group DarkSide, and against the food giant JBS have exposed the capacity of such attacks to cripple crucial infrastructure. Of the 128 major disclosed cyber incidents in May 2021, 40% were categorized as ransomware.
NGOs are no stranger to this growing trend, and are often the victim of attacks targeting critical yet vulnerable infrastructure such as health, water and food. Over 50% of NGOs report being targeted, as a growing number of recent incidents illustrate.
As recently as May 2021, New Zealand’s largest volunteer agency in international development, the Volunteer Service Abroad (VSA), was hit by a ransomware attack that encrypted vital information in its data systems, some of which were lost as a result. The VSA refused to pay the ransom and has since recovered from the attack and put measures in place to prevent a recurrence.
The non-profit health provider Scripps Health was taken offline by a security breach in May. A Philadelphia food bank was hit by a US$ 1 million ransomware attack in December 2020 at a time when 5.6 million Americans were dependent on food handouts due to Covid.
Another common scam used against NGOs and nonprofits is CEO Fraud. The hybrid method combines spearfishing and identity theft to trick NGOs into making wire transfers. It’s already cost Save the Children US$ 1 million in 2018, and caused Roots of Peace a total loss of US$ 1.3 million in 2020.
The existential risk to NGOs in critical sectors
NGOs involved in humanitarian and other actions are heavily dependent on mobile and digital technologies to coordinate and fulfil their missions. They often operate in regions with limited or unreliable infrastructure that can expose them and employees to acute risk of data interception, tracking, or unauthorized access with potentially lethal consequences for volunteers, beneficiaries and other stakeholders. NGOs may also be targets of malicious and politically motivated cyber attacks such as web defacement. These may involve hijacking and misusing their identities and websites to misdirect resources and volunteers and spread malicious misinformation.
As organizations whose primary function is the sourcing and distribution of aid and raising awareness of issues, these actions can have a crippling impact on their ability to function and respond to a crisis. Such attacks put huge pressure on NGOs’ limited resources. They not only prevent NGOs from fulfilling their missions in the short-term, they can also inflict long-term reputational damage and undermine the confidence in its ability to fulfil its role in current and future crises and emergencies. As a result, donors, sponsors and host nations may cancel their relationship with an NGO and withhold its mandate, resulting in its termination.
Prevention better than the cure
Despite the risks, most cyber attacks exploit known or basic vulnerabilities that can easily be prevented by taking simple precautions. Black hat hacking is in many respects a sophisticated form of burglary. Just like a break-in, it’s often simple carelessness that lets an intruder in the door. The simplest and most basic precautions can prevent a breach. Over 50% of NGOs have already partially developed cybersecurity frameworks and have introduced awareness training for their staff. However, lack of resources may mean many organizations are unable to employ dedicated staff toward comprehensive cyber protection.
The [CyberPeace] Institute’s CyberPeace Builders Programme, offers support and shared resources for NGOs to help them prepare for, prevent and recover from cyber attacks. We look forward to working together and building solutions to combat this growing threat.
Please contact us at: [email protected] to learn more.
The CyberPeace Institute is an independent and neutral non governmental organization whose mission is to ensure the rights of people to security, dignity and equity in cyberspace. The Institute works to reduce the harms from cyberattacks on people’s lives worldwide, and provides assistance to NGO’s working with vulnerable communities. The Institute analyzes and raises awareness of the societal impact of cyberattacks, how international laws and norms are violated, and advances responsible cyber behaviour and accountability.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.