Skip to content Accessibility

Attention! Investment scams are spreading. See more at: Investment fraud

For the third sector

Third-sector organisations often deal with socially sensitive issues and data, and therefore, it is important to pay attention to the protective measures of the organisation and the people involved. Read more about where to start.

The non-profit sector is characterised by the diversity of organisations in terms of size, membership, and activities. As a result, NGOs come into contact with a wide variety of data, including sensitive data, such as personal and health data or religious and ideological data. As third-sector organisations often deal with delicate social issues and data, they can be the target of attacks from other countries or interest groups in addition to traditional cybercrime.

Here are some basic guidelines on how to plan for information security in your organisation, as well as aspects of which people or volunteers working for your organisation should be aware. For a more comprehensive guide, RIA has developed a short guide to the cybersecurity of companies.

Protecting your organisation

Ensuring the cybersecurity of an organisation starts with an awareness of the need and systematic planning at management level. This means that cybersecurity can be developed in a conscious way even in smaller organisations.

The first step in building the cybersecurity of an organisation is to gain an overview of data, information systems, and the flow of information. For this purpose, you need to map:

  • the types of data that are collected and processed. This is unique to each organisation, ranging from only the contact details of employees or volunteers to highly sensitive personal data;
  • information systems that are used in the organisation and the types of data that are stored and processed in them;
  • service providers and the types of data that are exchanged with them (e.g. financial data with an accounting service provider, health data of clients for social assistance, etc.). Know the technical arrangement of the data exchange;
  • the cybersecurity threats to the organisation, such as phishing, invoice fraud, malware distribution, or exploitation of security vulnerabilities. If an organisation is dealing with politically or socially sensitive issues, third-sector organisations may be at risk from targeted attacks by nation-state threat actors or interest groups (hacktivists).

The data processed in an organisation and its information systems must be managed in a conscious way, storing only the necessary data and using only new and updated information systems.

Think about the types of data that your organisation needs to process and how long this data needs to be stored:

  • does the organisation need all the data that it collects and stores? If there is data that it really does not need to collect and store, it is worth deleting the information to reduce the risk of data leaks and the amount of data that needs to be protected.
  • it is also important to plan for the regular deletion of outdated data.

The information and communication systems in use must be regularly reviewed:

  • does the organisation need all the information systems where data is processed and stored? If some of them are no longer necessary, it is a good idea to shut them down and move the data to a system that is in use.
  • are all information systems in use supported by manufacturers and security updates? If not, the risks of using the information system should be further considered and, if necessary, an up-to-date information system should be put in place.

Establish rules for the transmission of information (for example, requirements according to which documents containing personal data may only be sent by email in an encrypted format or organisational documents may not be stored in personal cloud environments). Also explain the rules to the staff and volunteers who process this information.

Discuss cybersecurity with your partners. If necessary, cybersecurity requirements should be set out in a contract.

You can find out how to outsource IT services securely by taking part in an online course created by RIA.

Plan the management and security of the IT infrastructure of the organisation (network and devices):

  • map and organise the devices and the network of your organisation. Check whether only the services you require are accessible and only the applications you need are running. Make sure that no services would be available online which should not be accessible (for example, remote desktop services or an old forgotten FTP server);
  • be intentional about mapping and managing the personal devices of employees that they use for accessing the information systems of your organisation;
  • keep software up to date in the IT infrastructure and on the devices of the users. Installing updates quickly helps to prevent attackers from exploiting vulnerabilities to gain access to systems.

Train staff and volunteers on cyber hygiene:

  • RIA has created a free cyber test, hosted on the popular Moodle platform, which is available to all organisations. The aim of the cyber test is to raise cyber awareness among the staff and volunteers of any organisation.

Develop and implement incident response and recovery plans:

  • make sure that your incident response plans include, at a minimum, the restoration of systems that are critical and essential for the organisation. In addition, the plans should include the contact details of the persons to ask for assistance or to inform about an incident;
  • if a cyber incident occurs, you can contact CERT-EE for help by emailing cert@cert.ee or calling +372 663 0299.

It is important to know the people and accounts that access your systems and data

  • Review the accounts in your systems regularly and remove those that are not used or are not absolutely necessary. This helps reduce the number of accounts that must be protected and that attackers can use for gaining access to the system;
  • When an employee or a volunteer leaves, block their user accounts and access to the resources of the organisation immediately.

When granting access, apply the least privilege principle: give users as few rights as possible and only as many as absolutely necessary;

  • pay particular attention to accounts with extensive or high-impact rights (administrator-level access). Reduce the number of such accounts in the system to the minimum, while taking into account the need for back-up access;
  • avoid using administrator accounts for day-to-day tasks;
  • establish a system for monitoring the use of administrator accounts regularly to detect unauthorised and malicious activity.

Establish rules for protecting the accounts of your organisation, which also apply to volunteers involved with the organisation:

  • use strong unique passwords and multi-factor authentication (read more);
  • if a system does not allow multi-factor authentication, consider an alternative solution;
  • use a password manager to manage the passwords you need.

If social media plays an important role in the communication of your organisation, pay attention to social media security:

  • know the accounts used in your organisation;
  • protect social media accounts (strong passwords, multi-factor authentication, verification);
  • further security training for social media managers;
  • read more in the blog of the Information System Authority.

Nation-state threat actors or ideologically motivated attackers (hacktivists) can also target private individuals linked to organisations, such as volunteers. These types of attacks can be consistent, well-coordinated, and carried out simultaneously against both an organisation and an individual. It is important to be aware that attacks on an individual, such as a volunteer, can also have an impact on the organisation.

Whenever possible, restrict publicly available information about yourself to reduce the amount of information that attackers could use for an attack:

  • when using social media, be aware that information shared or posted about you by others may be used for a targeted attack.

Check your contacts and stay vigilant in regard to social manipulation:

  • make sure the people you meet on social media are real (verify the identity of the person);
  • be vigilant about impersonation; for example, a stranger may claim to be a journalist or assume some other social role;
  • be careful when clicking on links or attachments in emails, text messages, or other communication platforms and when scanning QR codes;
  • be careful when clicking on links or attachments from unknown sources;
  • if possible, avoid the use of removable storage devices such as flash drives. However, if you do need to use an external data carrier, be extremely careful to avoid downloading malware onto your device.
  • Ensure the security of your devices, web usage, network traffic, and data transmission:
  • always use encryption when transmitting sensitive data;
  • make sure that the communication, social media, and other apps you use are transmitting data securely (using encrypted data transfer) and check where they store data.
  • if your browser warns you that the page you are visiting does not transfer data securely, opt out of using the website if possible. It is important to make sure that the data transfer from websites is done over the encrypted https protocol. On websites using unencrypted http protocols, an attacker can display their preferred content to the user or steal any data that is entered. You should therefore avoid entering personal data on such websites;
  • in public areas, use the mobile internet connection provided by your mobile phone operator, which you can also share with your computer. Avoid public Wi-Fi networks;
  • if you work in a public space, be aware of your surroundings so that others (including surveillance cameras) would not be able to see your activities on the device (including entering passwords) or overhear conversations. Follow the general guidelines on safe remote work.