Humanitarian organizations are collecting increasing amounts of data from crisis-affected populations on both the individual and community level. This data is informing more evidence-based interventions, creating more advanced tools such as interactive maps and other infographics, and informing predictions of future humanitarian crises. However, the responsibility of handling valuable data makes humanitarian organizations a new target for cyber attacks, potentially putting people’s lives at risk. As cyber attacks such as hacking or denial of service attacks against civil society continue to increase, the humanitarian sector has not kept pace with the necessary corresponding security infrastructure or policies. Furthermore, cyberwarfare will add even more complexity and logistical challenges to the crises to which humanitarians respond. Along with ethical issues such as the data-related rights of affected populations and the “do no harm”, the humanitarian sector risks its very legitimacy in the world’s increasingly digital future, if it does not act sufficiently on privacy and security concerns.

This report outlines the various steps humanitarian organizations can take to increase their cybersecurity, ranging from the individual level to the organizational and sector-wide. They include:

Conduct risk assessments Build capacity: Staff expertise and training Partner with the private sector when the benefits outweigh the risks Change the organizational structure5. Improve the basic standards of cybersecurity practices Increase responsibility on donors for security funding and reducing stigma Improve communication between humanitarian organizations Improve data policy as a whole and be consistent Develop an emergency contingency plan

Organizations should avoid reacting in the following manner:

Address cybersecurity by introducing new technologies Wait until there is a serious breach of trust in the humanitarian sector Adopt a ‘one size fits all’ approach Become overwhelmed

The cybersecurity landscape is, by its technological nature, in a continuous arms race between offensive and defensive capabilities. The humanitarian sector must acknowledge that it is operating within this landscape, and therefore incorporate responsible structural changes that will allow organizations to continue to do their life saving work effectively. Although it is not feasible for resource-constrained organizations to keep up with the most current cybersecurity defensive technologies, there are practical steps that can be implemented (beginning with increased awareness) that will allow them to leverage the potential of data while minimizing associated harms. This report is informed by experts in the civil society, cybersecurity, and humanitarian fields, and quotes obtained in the research process are provided throughout the report for greater context. Content presented in boxes is meant to provide the reader with supplementary information.