NGOs and Data Security: Best Practices for Data Breach Prevention


Written by Paul Diaz, VP of Policy, Public Interest Registry

This post is part of a Public Interest Registry series called “NGOs and Data Security” and is aimed at providing educational insight to noncommercial internet users around different data and information security themes.    

As more of the world’s information – much of it sensitive and/or personally identifiable – is transferred, stored, and accessed online, people and organizations are more vulnerable than ever to potentially devastating data breaches. Every week new reports of compromised personal information surface and these threats don’t discriminate. Whether you’re a large multinational financial services company or an NGO exclusively focused at the local level, in today’s world no organization is immune from a cyberattack.

When it comes to sensitive information, NGOs have plenty to protect – from donors’ financial information to personal details like social security numbers and more. The threat comes not only from criminals looking to leverage personal and financial details for their own gain, but also from state actors and governments seeking to control or hinder organizations they don’t agree with. Couple this with the fact that NGOs often lack the resources necessary to fully defend against such bad actors, and you have a scenario rife with risk.

The good news is that not all cybersecurity precautions require a robust network security or IT team. Whether you’re a seasoned NGO with funds to funnel towards a strong digital infrastructure or an NGO with limited manpower and tools, there are steps you can take to better protect your organization against an external data breach. While we won’t cover all of them here, what follows are a few important tips to help get you started.

Understand the role of your service providers.
Your service providers matter when it comes to online security. Many organizations, NGOs included, don’t fully take account of their third-party providers’ and partners’ preparedness for a cyberattack. While your domain name registry plays a role in protecting your site – for example, Public Interest Registry helps to protect .orgs from online threats like Distributed Denial of Service (DDoS) attacks and technical abuses such a phishing, pharming, etc. – Internet Service Providers (ISPs) should also play an integral role in your organization’s overall online security. In fact, ISPs are often the target of attacks and regularly confront threats that can take down internet services for users across the globe. Before you consider your organization secure, check with your service provider to find out what controls are in place and ask what they recommend to mitigate the risk of a breach. High-quality ISPs will have in place many security measures – such as firewalls, intrusion detection, redundancy and more – that can provide protection for customers. Some ISPs may also offer discounted security software, round the clock monitoring, or custom services to help secure your network.

Identify your weaknesses.
The best cybersecurity defense will come from a clear understanding of your strengths and weaknesses.  Besides exploring the issues noted above with your external service providers, some important questions to ask your internal IT manager include:

  • Is our security software up-to-date?
  • Do we have networked workstations operating without an enterprise-wide security suite?
  • Are there any former employees or volunteers who still have access to our files in the cloud?
  • When is the last time we changed all of our online passwords?
  • Are employees and volunteers working from secure wi-fi connections at all times? If not, are they trained on what they should and should not do while using an unsecure network?
  • Do we have a written policy about data security and privacy that is shared throughout the organization?
  • Do we have a contingency plan in place should we experience a breach? Further, are all relevant parties briefed and trained on their roles and responsibilities in the wake of a breach?

While this list is not an exhaustive list, asking such security related questions can help orient you to your organization’s current security posture and identify any areas for improvement.

Bolster your defenses.
Once you’ve taken stock of your security profile, you can begin to bolster them or remedy any weaknesses. Essential yet easy-to-implement best practices for data breach prevention include to:

  • Keep security software updated. Make sure that the computers used by your volunteers and employees have up-to-date security patches, along with anti-virus software, spyware prevention and firewalls.
  • Limit or discontinue the use of peer-to-peer file sharing sites.
  • Craft data privacy and data security policies that clearly outline what’s required of employees and volunteers to help keep the organization’s data safe and secure.
  • Conduct training to ensure employees can recognize potential threats as they arise and are equipped to take the appropriate action.
  • Run regular assessments of your organization’s security weaknesses, using the list above as a starting point.

It’s important to remember that there’s no silver bullet to preventing an attack. Hacks and breaches can happen to any organization regardless of their size, resources, and preparedness. For that reason, it’s critical that NGOs develop a comprehensive plan for the aftermath of a hack as well.

Check back later this fall for Part 2 of this series, which will cover more on what to do if you fall victim to a data breach, including the plans that should be in place, the best tactical response and how to communicate news to employees, donors and other stakeholders.