CyberPeace Analytical Report:
NGOs serving Humanity at risk: Cyber Threats affecting "International Geneva"
In the heart of International Geneva, a diverse ecosystem thrives, housing 38 international organizations (IOs), 432 non-governmental organizations (NGOs), and several hundred associations active at an international level, all united by a shared mission: to make the world a place of peace and justice. NGOs are the unsung heroes, addressing armed conflicts, natural disasters, and humanitarian crises, championing human rights, and advancing the Sustainable Development Goals (SDGs). Like many other organizations, NGOs heavily rely on technology, which is critical for projecting their activities globally in real time. Yet, in today’s digital landscape, this reality brings its own set of challenges.
While fighting for the greater good, NGOs must battle against all forms of cyberattacks, ranging from espionage and ransomware to fraud and disinformation. On one side, they are targeted by various threat actors - criminal groups, state actors, terrorist groups or hacktivists - seeking to disrupt their work, compromise data, and tarnish their reputation. On the other, they do not possess human or financial resources to protect themselves.
In Geneva, the CyberPeace Institute safeguards these heroes. Our cybersecurity services for NGOs include threat landscape mapping, volunteer-led consulting, alert notifications, and providing policy recommendations to donors and public/private decision-makers. All these services are free and tailored to the NGOs’ operational reality.
The Report aims to provide actionable recommendations to build capacities and resilience to mitigate cyber risks. It provides insights on the organizational readiness of NGOs to prevent, respond to and recover from cyberattacks. Using data, including primary data from surveys and interviews, the Report looks at the threats NGOs face, the vulnerabilities they are exposed to, and examines their preparedness to mitigate these challenges. Its ambition is to reinforce NGOs’ resilience in a sustainable manner, and for them to become the primary actors of their cybersecurity.
- 41% of NGOs report having been victims of a cyberattack within the past three years.
- All NGOs that have experienced attacks report that these were not isolated events. The frequency of these incidents varies, with some NGOs facing incidents on a daily basis and others encountering them on a monthly or annual basis.
- 70% of NGOs either don’t think, or aren’t sure whether they have an adequate level of resilience to recover from a disruptive cyberattack.
- NGOs, unlike entities recognized as critical infrastructure, lack specific designation as a sector for particular protections in cyberspace.
- Funding for NGOs is generally earmarked for specific projects, often leaving cybersecurity without dedicated financial support.
- 33% of NGOs report having no IT support or technical expertise, and 56% of NGOs report not having a budget allocated for their cybersecurity needs.
- While NGOs generally recognize a variety of potential threats, such as social engineering, ransomware, and other malware, only 4% have an actionable cybersecurity policy.
- 85% of NGOs recognize the importance of staff awareness in cybersecurity, yet only 52% provide regular cybersecurity awareness training to their personnel.
- NGOs are confronted with a rapidly changing landscape of regulation, norms and laws related to the use of technology and obligations in the event of cyberattacks. For instance, data protection obligations in the case of a data breach.
- Freely available cybersecurity tools accessible to NGOs are not tailored to their specific operating and business models. Access to and awareness of these tools alone does not equate to sustainable cybersecurity.
- NGOs require more than tools and knowledge, they also require a cybersecurity workforce (people and skills).
Recommendations for the International Geneva
While the key findings shed light on the critical challenges that non-governmental organizations (NGOs) in International Geneva face in the realm of cybersecurity, the following recommendations, rooted in desktop research, surveys, and interviews provide a concrete roadmap for action. These recommendations are structured according to a cyber capacity building framework developed by the United Nations Institute for Disarmament Research (UNIDIR), covering five key pillars: official documents, processes and structures, partnerships and networks, people and skills, and technology.
- Public authorities in Switzerland and in the International Geneva should officially reaffirm their commitment to protecting NGOs, their staff, and data from cyberattacks.
- Geneva-based NGOs should develop and implement cybersecurity governance policies and practices, including a cybersecurity policy, an incident response plan, and an asset inventory. The CyberPeace Institute, as a local partner, commits to help them do that.
- The CyberPeace Institute and its academic partners should enhance their efforts to document, track, and analyze cyberattacks against NGOs within the Geneva ecosystem and any subsequent accountability measures taken, including the prosecution of perpetrators.
- The Swiss Confederation and the Republic and Canton of Geneva should build capacity to investigate and prosecute cybercrimes against NGOs. In cases involving ransomware, investigations into the financial flow stemming from extortion schemes should be conducted to hinder the activities of threat actors. Public authorities should actively promote the position which discourages the payment of ransom, emphasizing that it directly finances organized crime and encourages further cyberattacks.
- The public authorities in Geneva, together with the National Cyber Security Center, should actively promote transparent reporting on cyberattacks against NGOs to inform policy-making. Robust safeguards should be in place to protect the confidentiality and integrity of this information.
- Cybersecurity companies based in Geneva, and private companies who employ cybersecurity professionals, should join the CyberPeace Builders programme to volunteer their expertise to help Geneva-based NGOs. Private companies can benefit from the CyberPeace Builders program by showcasing social responsibility and fostering staff skill development in real-world scenarios. These collaborations also strengthen cross-sector relationships, offering insights into NGO cybersecurity challenges and improving companies’ ability to address evolving threats.
- The public authorities in Geneva should actively facilitate the study of existing and potential cyber threats faced by NGOs. Collaborative initiatives with academia and civil society organizations can be instrumental in building knowledge about cyberattacks and their impact on NGOs.
- Media organizations reporting on cyberattacks in the Geneva ecosystem should actively collaborate with the local ecosystem to prioritize highlighting the human impact these attacks have on NGOs and the beneficiaries they serve.
- The Republic and Canton of Geneva and local academia should continue to allocate resources to enhance the knowledge and expertise related to cybersecurity within NGOs. This includes setting cyber clinics to help NGOs in developing in-house capabilities through training, or outsourcing to external providers when necessary.
- Local corporations and civil society in the Geneva ecosystem should collaborate to share in a secure manner threat information about attacks against NGOs and the vulnerabilities that threat actors exploit with ease.
- The CyberPeace Institute and its partners should continue to develop free cybersecurity products for NGOs, and develop partnerships with Geneva-based private companies to offer their solutions for free to local NGOs.
Recommendations for NGOs
NGOs should follow guidance and advice provided by the National Cybersecurity Centre (NCSC). The NCSC website provides information and advice on topics including, cyberthreats and incidents, technology considerations, awareness-raising and prevention. NGOs can also use the website to report cybersecurity incidents and vulnerabilities.
NGOs should report cyber incidents to the relevant Swiss law enforcement agency and to the NCSC.
NGOs should join the CyberPeace Builders to benefit from actionable and free cybersecurity resources, including skilled experts, adapted technology, and support in developing their digitization strategy.
NGOs should organize simulations to test their cybersecurity policies and practices. NGOs should also regularly run security awareness and training programs for all staff members, including board members and senior leadership teams. Specialized training on social engineering attacks, such as phishing exercises, should also be conducted. NGOs should also conduct vulnerability scans of their digital assets and ensure they follow the latest security recommendations.
NGOs should maintain official documents outlining their cybersecurity policies and procedures, with a particular emphasis on software management. Regularly updating software, removing unsupported or unused software, and disabling unnecessary user accounts should be documented as best practices.
NGOs should establish clear processes and procedures for the identification and implementation of cybersecurity tools. This includes Multi-factor Authentication (MFA), Next-Generation Anti-Virus (NGAV) software, Firewalls, Password Managers, Virtual Private Networks (VPNs), and Data Loss Prevention (DLP) systems.
NGOs should develop robust backup procedures to mitigate the impact of cyberattacks, infrastructure failures, outages, or unexpected events. These procedures should be documented and regularly tested.
To protect their web services effectively, NGOs should document processes for safeguarding backend admin interfaces with reverse proxy masking IP addresses and secure query processing. Additionally, they should implement Domain Name System (DNS) and network proxy solutions offering DDoS protection and certificate issuers for website protection.
NGOs should provide clear guidance to their users on checking whether their private and professional email accounts have appeared in known data breaches. They should also establish documented procedures to follow in the event of a breach.
NGOs should schedule regular security audits conducted by external third-party experts, documenting the audit process and results.
NGOs should establish documented naming conventions with consistent rules for account naming, facilitating cybersecurity management.
NGOs should document processes for the regular review and verification of security for external accounts.
To reduce security risks, NGOs should maintain official documents outlining procedures for restricting administrative privileges to a minimal number of trusted users.
NGOs should document security measures that ensure all ports are secured with SSL encryption to prevent unauthorized users from intercepting data.
NGOs should follow documented best practices for email security, including DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
NGOs can also join the Institute’s CyberPeace Builders program to benefit from actionable and free cybersecurity assistance and support. The CyberPeace Builders program equips NGOs with guidance and cyber threat intelligence so they can detect upcoming cyberattacks, builds NGO cyber capacity to prevent cyberattacks against them or their beneficiaries, and engages with cybersecurity experts and NGOs through a volunteering platform and to foster community engagement.
The CyberPeace Institute acknowledges and thanks the important contribution from the NGOs that participated in this Project. The analysis, findings and conclusions of this Report have been developed by the analysts and other experts of the CyberPeace Institute. They have been shared with the NGOs who participated in the research but they have not been requested to endorse them.