Full Report
In 2023, Cisco Talos and partners created a special Backdoors & Breaches card deck to help NGOs improve their cybersecurity skills with practical, easy-to-use training tailored to their needs.
Analysis Summary
# Best Practices: Cybersecurity Preparedness for Non-Governmental Organizations (NGOs)
## Overview
These practices focus on enhancing the cybersecurity preparedness, incident response capabilities, and proactive security posture of NGOs, which often operate with constrained budgets and resources, making them attractive targets for various threat actors. The central theme is leveraging cost-effective, engaging tools like tabletop exercises (TTX) to bridge the cybersecurity skill and resource gap.
## Key Recommendations
### Immediate Actions
1. **Conduct an Initial Cybersecurity Assessment:** Identify critical digital assets, data types (especially donor/beneficiary information), and existing basic security controls, recognizing the constraints of the "cybersecurity poverty line."
2. **Initiate Tabletop Exercises (TTX):** Immediately adopt and start using cybersecurity tabletop exercises (specifically the *Backdoors & Breaches* framework or its specialized NGO expansion decks) to engage leadership and technical teams in scenario-based incident response planning.
3. **Distribute and Share Existing TTX Materials:** Access and distribute the open-source *Backdoors & Breaches* cards (both base and specialized expansion decks, if available) to relevant teams to familiarize them with incident response terminology and processes.
### Short-term Improvements (1-3 months)
1. **Customize TTX Scenarios:** Tailor the tabletop exercises to include scenarios highly specific to the organization's unique technical, political, and logistical challenges (e.g., attacks targeting field operations, compromised aid distribution systems).
2. **Establish/Validate Incident Response (IR) Roles:** Use TTX results to clearly define roles and responsibilities for incident response across technical, communications, and leadership teams, ensuring clarity under pressure.
3. **Enhance Collaboration via ISACs:** If operating domestically (US), immediately join and participate in the NGO Information Sharing and Analysis Center (NGO-ISAC) to benefit from threat intelligence relevant to the domestic civil society sector.
### Long-term Strategy (3+ months)
1. **Sustain Incident Response Training:** Integrate customized TTXs as a recurring, budgeted security activity (e.g., quarterly or bi-annually) to maintain sharp incident response skills across rotating staff and leadership.
2. **Budget Optimization for Security:** Develop a sustainable, low-barrier operational continuity plan that prioritizes essential cybersecurity investments that directly support mission delivery, even with limited donor/grant funding.
3. **Develop Cross-Organizational Knowledge Sharing:** Participate actively in NGO sector gatherings (like the NetHope Global Summit) to share lessons learned from TTXs and collective challenges faced by peers.
## Implementation Guidance
### For Small Organizations
- **Focus on Accessibility:** Prioritize free or low-cost simulation tools. Utilize the digital versions of the *Backdoors & Breaches* game, which can be run using minimal resources like local Python web servers for remote participation.
- **Cross-Train Staff:** Due to limited IT staff, ensure all key personnel (not just technical staff) participate actively in TTXs, as employees are often the first line of detection.
### For Medium Organizations
- **Formalize the IR Document:** Use the findings from the initial TTXs to draft, document, and formally approve a concise Incident Response Plan (IRP) that leadership has signed off on.
- **Establish Sharing Channels:** If dealing with significant international exposure, establish secure channels for sharing operational security concerns with peer organizations or established sector-specific groups like NetHope.
### For Large Enterprises
- **Develop Custom Expansions:** Invest time or resources (if partnerships allow) in creating proprietary expansion decks that model threats targeting specific advanced infrastructure, cloud environments, or unique data handling requirements of the large NGO.
- **Integrate TTX with Resilience Planning:** Ensure the outcomes of cybersecurity TTXs are formally integrated into the broader organizational Business Continuity and Disaster Recovery (BCDR) plans.
## Configuration Examples
*While the article focuses on process rather than specific technical configurations, the following demonstrates how to enable virtual participation in TTXs:*
**Setting up a Local Web Server for Remote TTX Play (Using Python):**
To allow geographically dispersed teams to play the digital version of the card game simultaneously:
1. **Install Python:** Ensure Python is installed on a facilitator's local machine.
2. **Navigate to Directory:** Change the directory in the command line to the folder containing the necessary game files (e.g., those from the NGO-ISAC GitHub repository).
3. **Start the Server:** Execute a standard command to spin up a local HTTP server (e.g., `python -m http.server 8000`).
4. **Share Access:** Use a web sharing utility or VPN access control to allow remote participants to connect to the facilitator's local IP address and port (`http://[Facilitator_IP]:8000`).
## Compliance Alignment
The recommendations align with general security maturity frameworks by emphasizing preparedness, testing, and stakeholder engagement:
- **NIST Cybersecurity Framework (CSF):** Heavily aligns with the **Identify** (understanding assets), **Detect** (identifying incidents), and **Respond** (developing and practicing response plans) functions.
- **ISO/IEC 27001:** Supports the requirement for documented procedures and regular testing of information security controls (A.16 Incident Management).
- **CIS Controls:** Supports foundational steps for establishing security awareness training and testing IR processes.
## Common Pitfalls to Avoid
- **Ignoring the "Cybersecurity Poverty Line":** Do not assume high-cost, enterprise-grade solutions are the only path. Focus on leveraging free, accessible, and effective training tools like customized TTXs.
- **Treating IR as only a Technical Task:** Failing to involve executive leadership, communications, and field staff in preparedness discussions ensures failure during a real incident. TTXs must span all organizational levels.
- **One-and-Done Training:** Cybersecurity preparedness training, especially IR simulation, loses value quickly. Avoid conducting a single exercise; commit to regular, sustained practice.
## Resources
- **Cybersecurity Tabletop Exercises:** "Backdoors & Breaches" card-based TTX framework (developed by Black Hills Information Security, available under GNU license).
- **International NGO Focus:** Customized expansion decks created in collaboration with NetHope and Cisco Talos.
- **US Domestic NGO Focus:** Deck developed in partnership with NGO-ISAC, often featuring scenario-specific guides reflecting US operational challenges.
- **Digital Access:** Materials are often hosted publicly (defanged link placeholder: `GITHUB_LINK_TO_EXPANSION_FILES`) allowing for low-cost digital deployment.
- **Sector Intelligence:** NGO-ISAC (for US-based organizations).