Security for NGOs

Recently I've attended a small security-related workshop which proved to be particularly interesting as it touched a particular area: security for NGOs.

ONG are an interesting case because they can face some particular challenges:

  • limited budget that is allocated towards their particular activities => investment in security infrastructure and procedures tend to be low to non-existent, at the same time it means it's difficult to guarantee access to security professionals for setting up and maintaining even medium-grade security. Given the latter, changing security personnel also means getting help from people with different approaches when complete overhauls may come with their own risks.
  • NGO activities tend to be disruptive to social status quo => there are always interested parties that look forward to penetrating networks in order to access sensitive documents
  • volunteering cycles => meaning that people tend to come and go at an accelerated pace with the implication that time can't always be dedicated to properly ensure differentiated access, training into security procedures won't be a priority

These challenges mean that security won't be tackled in the same way corporations do it even though NGOs may be facing similar threat levels. Complex security setups like firewall restrictions may even prove detrimental to activity and the way people are used to do things.

The easiest step to take would to move the infrastructure into a cloud. One of the cheapest solutions (basically free) would be Google's offer for NGO which comprises of hosting of mail, Google Docs, Drive storage, infrastructure for direct donations, free Google Ads credits for promoting NGO activities as well as Google Earth Outreach programme. In most countries, your NGO must first signup for the Techsoup Global Programme, which certifies your organization as a valid recipient for tech donations.

In case moving to a cloud isn't an option, there are some minimum-level recommendations that can help:

  • using hardware encryption: software encryption is great, but hardware encryption means that you can buy a flash drive or a NAS, plug it in and everything you use will be stored in an encrypted form. Sure, if your legitimate means of access is compromised, your data can still be accessed, but a direct hack or stolen hardware won't compromised the data.
  • VPN access: using VPN access for your remote collaborators means that you don't need to expose your internal services directly, your communications are reasonably secure and your collaborators can still access local network resources when away. Rights setup, encryption keys, etc ensure that if one collaborator's system is compromised then access can be restricted with minimal effort.
  • use Linux & open source software: the Linux community is huge and you will always find people ready to assist directly be it day or night. Linux desktop systems (like Mint or Ubuntu) are much friendlier nowadays while Office suits such as LibreOffice were created with ONG use in mind and are completely Microsoft compatible. Many Western NGOs make this point one of integrity as to not be dependent on corporate software.
  • use ready-made NAS storage: nowadays NAS (network attached storage) unit as fairly cheap, come with backup functionality built-in and are aimed at non-technical organisations. They have security functionality built in and most can be used for anything: plain & simple storage, media servers (ready to play sound and video to any device, even mobile), VPN servers, web servers, databases, document and archive storage complete with applications. They are truly cost-saving angels, complete with community support. When having collaborators abroad they can serve as collaboration tools with shared workspaces regardless of geographical location, all under your control. Also, they can be setup with encryption, so in a way they can round-up all the above points.
  • use UPS: uninterruptible power supplies can protect your infrastructure against power outages and keep your network running. Aside from simply having access, another important security problem they solve are resets. Power surges can completely reset things such as NAS units or routers, removing their security settings and reverting them to defaults. Being able to do a friendly shutdown can be a welcome bonus to having some extra uptime.
  • convention over configuration: often having your collaborators respecting access protocols (don't touch that email promising money from Nigerian princes!!) can be more important, since people using access shortcuts may find ways to circumvent protocols.

These are only a few basic points, since a detailed breakdown of low-cost security can take quite some time to describe - the above should prove to be a good starting point.