- The issue
NGOs are vulnerable to loss of critical information because of hacking. Security looks at confidentiality, integrity and availability of data. Many NGOs think their information is confidential, yet outsiders can easily access it. They think their emails are safe, yet they send plan text emails which are easy to intercept, read, modify and send with potential to cause havoc and loss of key partners. And many NGOs systems like emails, core financial systems are vulnerable to downtime and they never get to know the causes for it.
System downtime, delayed emails and disclosures of secrets are tell-tale signs of security breaches.
The world has transformed a big deal. In the past, a lot of documents were manual. Today, over 95% of all documents are first created using computers. And lots of data is in electronic form. Top executives use mobile phone, computer and hard drives to store information. These systems are vulnerable to hacking. Motivated hackers don’t have to physically break-in your office to access confidential information of interest.
- The cause
Many, if not all, NGOs now use computers and related applications to process and store critical confidential information in digital form also called electronically stored information (ESI). Key information concerning incoming funds, use of funds, employee details, program details, budgets, strategy and workplans are all in digital format in one way or the other.
Despite high use of computer systems, many NGOs do not invest in cyber security. You will find a typical NGO spends over Ugx. 10m monthly at minimum in physical security to manage physical access and prevent theft. However, computers, mobile phones, email servers and other critical servers that keep the most expensive resource – data – are not secured. Majority of NGOs never invest even 20% of their total security spend in preventing hacking as well as conducting on-going hacking threat intelligence to identify the source of rogues.
- The solution
Recognize the increasing threat of cyber security breaches to the organization. Start by creating awareness at the board level of the criticality of information technology security. I once investigated a cyber stalking case at an NGO, where all the issues that were being written about had just been discussed at a recently concluded board meeting. On further scrutiny, one of the Board members had been hacked.
The board member’s mistress had exploited trust by auto forwarding all emails to herself. Every time board minutes and papers were sent, the mistress got a copy. She would then use such privileged information to stay ahead of the board. Not all hacking is technical. Someone listening to your phone conversation in a restaurant is a hacker. Someone checking your rubbish bin at home for any document you have put in there with personal information is a hacker. The art is exploiting the victim using the easiest means. You need a cyber security expert on your board of directors since technology is mission critical today.
For any other areas of good governance, visit our www.summitcl.com/boardtools to change the way you see your organization and transform.
In the next Newsletter, Issue 4, I will share about the increasing risk of staff fightbacks. We have noted increasing case of anonymous emails sent to donors and other partners especially after staff terminations. The emails are malicious intended to create confusion and termination of funding by the donors. We explore how you can manage such potential risks before they occur as they pose high reputational strategic risks. You cannot afford to miss the next issue. Know someone who would benefit from these insights? Subscribe them below or forward this newsletter to them. Thanks for sharing.