Philip Reitinger, GCA´s President and CEO and leading representative of Common Good Cyber, spoke to Alexis Alley from the CyberPeace Institute at the Beyond 125 event in The Hague.
Watch the video and read his answers below:
Why do NGOs lack cybersecurity measures and are not empowered with AI to enhance digital resilience?
Nonprofits are in a uniquely bad position. They have data that is very valuable to attackers, and their resourcing is such that they almost all fall below what Wendy Nather calls the security poverty line. That is, they lack the sufficient resources or expertise to be able to implement cybersecurity on their own, especially nonprofits that work with project-based funding, and so maybe they get a small percentage to deal with cybersecurity, but have a problem implementing a real program to secure themselves.
They have access to data that people want, especially if they work in things like conflict zones or with targets of government surveillance, and they’re insufficiently equipped to secure it. Their data is just as valuable as the largest companies, but their resources to protect the data are very thin.
As to why they lack AI resources, everyone still lacks AI resources on the defensive side more than they ought to and generally, nonprofits because of their lack of resources, are not on the bleeding edge of cybersecurity.
What are your three top priorities to bridge the cybersecurity gap?
The biggest priority is getting sufficient funding to be able to provide the tools, services, expertise — the scalable things that can help nonprofits around the world. Things like virtual CISO services, tools that they can use, AI-based training resources that can help people get smarter about cybersecurity. All those things are not free, and they’re not typically the sorts of things that are funded by philanthropy because they are interested in ‘let’s build a dam in Sub-Saharan Africa,’ not ‘let’s have cybersecurity across all the projects of this NGO that does work around the world.’ The first is the priority and the second is not.
The second one I’d point is awareness. It’s still an uphill battle for a lot of nonprofits to make them aware how big a threat they face. I’d like to say that nonprofits are a long way back, right? They are not on the edge, but a good chunk of the risk they face can actually be handled by fairly simple things. You can get 80% of the benefit of cybersecurity by doing 20% or less of the work. Really doing the basic cyber hygiene protections can get you a long, long way.
And the third thing is to build greater understanding of what these nonprofits do and their essential value to global social and economic progress, so that governments and industry foundations see the value in supporting their cybersecurity. It’s sort of odd when you think about it: governments regulate bank cybersecurity and say you have to do all of these things. And governments say to DoD, to defense departments, to contracting organizations: you have to do these things, either by regulations or by making a part of contracts. To hospitals, you protect the health of all our people, or you are an international nonprofit and you feed the hungry. They can’t really regulate and say you have to do all these things, and they don’t have the resources. They don’t have the capabilities right now. What they need is the resources to get it done. And so, raising the level of understanding among all the people. They just need that. They need help, because they are not cybersecurity organizations. They are working on world hunger. Or they are working on education or some other critical social problems.
These are the first and second interviews in a series from the Beyond125 event. We will update this article with additional Q&A as new related videos are published.