NGOs shouldn’t feel safe. Crooks will always go anywhere there’s money or… the security is weak. What threats do these organizations face? How can they react to them? What should they be looking out for? We ask Maciej Broniarz, IT specialist, academic lecturer, system administrator, and crisis management expert in IT incidents, all of these questions and more.
Are non-profits safe? Or is every organization prone to being targeted by cybercriminals?
Of course, they are. However, luckily, the awareness around this is changing. A lot changed after the pandemic, as that is when it dawned on people that even in private contexts, they can be subject to mass attacks.
These are often attacks that are calculated for financial gain. They are not particularly sophisticated, but due to their scale, a certain percentage of them are effective, and this pays off for criminals.
The knowledge about such attacks then reaches people in a purely professional context. They suddenly realize that even if their organization is not a potential target, virtually any area in which they operate may be of interest to criminals, simply because that is where the money is.
What are cybercriminals after? Money? Data?
In the case of NGOs, things are a bit more confusing. The target may be money, of course. Still, if criminals attack organizations for ransom and use ransomware, it would undoubtedly be easier for them to extort money from a company than from a non-profit.
The specific nature of NGOs means that two other things pose significant threats. First: any destabilizing activities. Poland currently borders a country where a war is raging. Russian and Belarusian intelligence agencies are very active in Poland. All sorts of destabilizing and sabotaging activities are very popular, and it’s small organizations that often fall victim to such attacks. Someone can cause chaos or use the infrastructure of an organization, which is frequently not well secured, as a transit point.
I recently came across an incident where a group connected to Russian secret intelligence was orchestrating attacks on the IT infrastructure of large Polish non-governmental organizations. They didn’t do this directly. They used the server of a small NGO, somewhere in southern Poland. They broke into their system and set up a transit point. This type of activity potentially hinders analysis and makes it difficult to determine where exactly the attack originated.
Another context, which is critical in Poland, is all the action taken against organizations working in the area of cooperation with other countries. Whether they work with civil movements in Russia or Belarus, or are aid organizations that care for refugees from Ukraine, for example.
What should one do to avoid being attacked? Invest in cybersecurity or cyber obstacles?
It’s like the equipment in your car. You have seatbelts, a spare tire, and brakes. Investing in good brakes sounds perfectly sane, even if we don’t use them to brake abruptly. We usually accept it as the status quo and benefit from it. Contrary to what you may think, these organizations catch on quickly. Especially if they monitor the infrastructure. We were taught to believe that we only find out about an incident once it’s already happened. Fortunately, that’s not true for a growing number of organizations. These are often NGOs that realize an attack is being carried out against them and can respond, or they catch a group red-handed while they are doing reconnaissance in preparation for an attack.
Barbed wire is a good metaphor: if we put up a series of barriers that a criminal has to break through, they will be caught at some stage, and the organization will be able to react. Of course, this requires a lot of commitment, especially in terms of human resources, which organizations do not always have at their disposal.
Could raising awareness of these risks be a key factor in making Polish NGOs safer?
Often, it’s simply a matter of the attitude of NGO activists. This brings to mind a specific example in Poland: someone had decided to care for lonely elderly people across several counties.
If someone is alone in a small town or village, they sometimes need support. Whether it’s replacing a fuse or bringing in coal, many simple tasks become more difficult at a certain age.
In this case, someone decided that since this system was working, they’d make a list of such people in need on their organization’s fan page. The idea was to let interested people know who is closest to them and who they could help.
The idea itself is obviously great and very noble, but it could lead to the creation of a tailor-made list for criminals—ready-made tips on who is alone, who has no visitors all week long. Implicitly: who is easy to rob, carries no risk, and can be “taken care of” without any problems.
When I spoke to the person behind this, it suddenly dawned on him that he hadn’t even considered the possibility that this information could be used in an entirely different way than he had intended.
So, sometimes we have to think like a criminal?
Yes, exactly.
How can organizations be persuaded to prioritize their cybersecurity?
It can be interviews like this one, conversations, publications, or conferences. People need the opportunity to learn about this at their own pace, considering how it applies to their organizations.
The Batory Foundation organized a great project supporting NGOs in improving their teleinformation security. At the time, it was something new.
Investments were made in both infrastructure and proficiency, enabling members of organizations to implement and utilize these security measures. Emphasis was placed on long-term solutions.
This means that organizations implemented solutions in 2022. Now, in 2025, they continue to use these solutions, and the level of security is noticeably higher. They work very well, but of course, they come at a high cost. You have to be careful and analyse each incident.
So it’s not so bad? Do we know what dangers lie ahead?
People are quick to take an interest in the subject when they hear that another organization has fallen victim to an incident. For them, it’s a clear-cut example that’s easy to explain. However, many actions are a bit of a fig leaf.
Everybody assumes that NGOs’ problems stem from the lack of technology, equipment, and software. This is not true. The problem is the lack of human resources. There are many open-source solutions available, and there is plenty of equipment that companies are willing to donate.
Cisco donated a lot of equipment to non-profits in Poland and Ukraine shortly after the outbreak of the war. This was a truly impressive gesture that made a significant impact. It also proves that it can be done. You don’t have to go to great lengths to obtain equipment or software.
In Poland, such programs are described as supporting non-governmental organizations, when they are, in fact, an unconventional sales channel. These include, for example, cloud services or licensing solutions. The organization gets a number of different licences for free or very cheaply. Great, but what is it supposed to do with them? People still don’t know.
I spend some of my time traveling around Poland and organizing seminars about security for NGOs. Mainly to tell them what threats can apply to them, but also to ask a few questions about their security management and possibly offer some advice. And not once, over the past few years, have I heard someone say: We don’t have the software, we don’t have cloud services. Never. They say it outright: we lack human resources.
I recently came across an organization where a woman who was setting up two-factor authentication in her email system corresponded with me in a very sensible and professional manner. She had questions about how best to set it up and manage access. We spent a lot of time with her discussing it and came up with a model that would be convenient for her. And then it turned out that this woman was also the office manager and the chief accountant. It turned out that she handles IT and security tasks after hours, once she’s finished with her actual responsibilities.
If, instead of licences for rarely used software, organizations received funding for training, this would have a much greater positive effect than more software or access to more tools. Of course, ideally, the training would have to be conducted by a local company, which could then supervise everything from time to time.
Empathetic NGOs are particularly vulnerable. Is it worth teaching ourselves and others to be distrustful online?
Yes, for sure. This is very often a problem for beneficiaries of specific organizations. For example, older people are easily deceived by various scams because they do not understand technology.
I remember years ago when someone called my grandmother pretending to be my brother. “He” said he had been in an accident because he was driving drunk. The police had arrested him, and now we had to quickly pay a fine so he wouldn’t go to jail. My grandmother replied that if he was driving drunk, he was stupid and hung up.
However, the most significant problem is that such things can now be done using AI. If someone were to collect audio samples of a person’s voice, it would make it possible to impersonate them. In this case, it’s extremely difficult to explain to an elderly person: “This is not true. It’s not your grandson talking to you on the phone. It is simply a modified voice sample.”
At some point, there was an idea to address such topics in popular media, like soap operas. People would watch them and, I presume, return to the topic at some point. It permeates the collective consciousness. Sometimes, there would be complaints that the storyline was boring, but people can endure 2-3 minutes of boredom to become more sensitive to specific issues.
This way, they’ll know the police won’t call them up and tell them to gather 10,000 PLN and then throw it in a particular garbage can because they are organizing a “sting operation.” Believe it or not, but these things do happen.
So, should we invest in people? Their skills, knowledge, raise awareness, demonstrate, explain?
This is key. If someone wants to seriously think about digitizing non-governmental organizations, but also take into account their own security, their data, and their beneficiaries, then the investment should be primarily in people. Everything else can be sourced.
An ideal model could be the creation of local, county, and provincial competence centres working with these NGOs. This could be a cooperation between a dozen or so organizations that would, for example, share their IT resources. Often, all that is needed is a trusted person who will devote some of their time.
Why is this important?
Criminals are no longer guys in hoods, sitting in dark rooms and staring at green monitors. They come to work at 8:00 AM and receive instructions from their dispatcher: “Today you will rob companies A, B, and C.” And they just methodically follow a script. If they encounter security measures or defence mechanisms, they simply move on to the next victim, saying, “OK, we’re not going to get anywhere, let’s move on.” So if we increase security for these organizations, we will end up filtering out a large proportion of such incidents because these criminals will simply move on to easier targets.
Coming back to local support networks: these would ensure the best results because if something were to happen, organizations would have someone to turn to for help. It would be great if these movements were heading in that direction.
We’re already trying to build something like this in the context of CERT because we are working with organizations in Lublin and Pomorze (Pomerania), so this network extends far beyond the Warsaw bubble.
So, does that mean that scammers and cybercriminals operate like call centers?
It’s a bit of a hybrid between a call center and a franchise. You can pay to become a crime ring franchise owner. You then get a full set of tools and guidebooks. And then someone comes into “work,” logs into the system, and gets their assignment. By assignment, I mean the data of someone they are supposed to rob that day.
In addition, they receive a packet of information about the foundation, including details on the tools they use and who has access to its sensitive information – the accountant or a member of the board.
Next, they send out phishing emails informing people about the expiration of a password, for instance. Then you click to log in again and lose your mailbox password. Then the fraudsters can send an invoice with a changed account number to the entities cooperating with us, and it will not arouse suspicion.
It also has to be profitable for them. So if an organization doesn’t respond to this scenario, the criminals conclude that it’s not worth the costs incurred. And they move on.
To put it simply, if we increase our security by 20%, we will be affected by 80% fewer incidents. For the criminals, there are simply other, more attractive targets, where people can be deceived more easily.
What if we’re attacked? What should we do? What can we do?
First things first, you should calm down and think. I deal with incidents like this daily in my job, and there are several dozen of them a year. These are very often major incidents that end up appearing in the media.
With a large sample size, I can identify what people tend to do wrong and what they tend to get right. I’ve never encountered a case where a faster reaction would’ve solved the issue. I have seen many situations, however, where people reacted emotionally. In a state of panic, they made foolish decisions that exacerbated the situation, leading to a recovery time of several weeks, rather than just a few days, to get the organization back up and running.
Someone, overcome by emotion, disconnected the equipment from the power supply. The machine didn’t have time to cool down, something overheated, and a bigger problem arose. In addition to the website hack, which the organization had to deal with, it also had to buy a new server.
Doing things calmly is always the better option. If we’re talking about ransomware attacks or data leaks, there’s usually nothing we can do on our own. We plainly need help; we need to connect with someone who knows what they are doing.
My advice would be to gather such contacts early on, before anything bad happens. And it doesn’t require a lot of work. You can even get in touch with us and say, “Listen, we have this organization, take a look at our security.” We’ll share our insights on what we think is worth doing and discuss them with you and your organization to gain a deeper understanding.
If the organization calls us up in six months to report an incident, we already have an open channel of communication with them. We know what software and tools they use, and we know where the problem might potentially be. Then it’s an entirely different situation.
When it comes to safety, let’s take action before something bad happens. This will make it much easier for us to deal with bad situations later on, as incidents are likely to occur at some point.
Let’s return to the topic of tools that organizations can use. Can you share any examples?
There are many tools available to non-governmental organizations that are free or inexpensive. Starting with vulnerability scanning services in systems: an application periodically checks all your servers and indicates where there are vulnerabilities, where things need updating, and where things are that need attention.
These are things that organizations can easily access – all they have to do is contact us, and we will provide them with these tools, practically immediately. We offer leak monitoring systems and phishing campaign detection systems. Some are free, some cost money, but the costs are not high. For large organizations, we’re talking about a few thousand zlotys per year. For small organizations, the annual cost is usually a few hundred zlotys. These should be acceptable costs.
Especially since these attacks on non-governmental organizations are often linked, they’re not simple, isolated incidents. Very frequently, they form a chain.
What exactly does that mean? Can you recall any examples of such an attack?
Here’s a vivid example from a few years ago. When the war broke out, a refugee aid centre was launched in Nadarzyn, near Warsaw. Someone attacked this aid centre, using a phishing campaign to send emails to the people who worked there, gaining access to their mailboxes.
At first, they didn’t do anything else, except gain access to those mailboxes. However, from those mailboxes at the aid center, they sent phishing emails to various non-governmental organizations that worked with the aid centre, taking over the email accounts at those organizations. Next, they began drafting emails to their sponsors, law firms, and other relevant contacts.
And that’s when things got serious, because potentially infecting computers in law firms with malware is already a major deal. They can, for example, encrypt an organization and demand a ransom.
This chain of events occurs very often, and the sooner we detect it, the sooner we react, and the better it is for everyone. This means that we need to start thinking about security before something bad happens. That is the time when we have space and time to react.
A security policy sounds serious, but maybe simple rules and clear instructions are enough?
On the one hand, any policy is potentially better than no policy at all, because it means that we are addressing the issue. The problem is that an arbitrary policy may be ill-conceived or even harmful. Sometime soon, new legislation will likely come into force. For instance, the Cyber Resiliency Initiative and the Cyber Resiliency Act introduce the idea of personal and criminal liability of board members for neglecting ICT security issues. And that shifts the focus, because suddenly you are potentially liable for neglecting something. Even though this isn’t happening yet, it will likely come into effect within two or three years. Knowing the Polish pace of adaptation to new things, it will probably take five years, but it’s worth keeping in mind.
Poland’s Personal Data Protection Office doesn’t hold organizations that have had incidents accountable for the insufficiency of their security policies. Of course, there’s always room for improvement, but what happens is that when an official asks a question, a humongous document appears on the table. It contains 100,000 different awesome ideas, but then they say, “OK, now show us that you’re doing this.” And then there is an awkward silence, because we’re not actually doing it.
Writing down a number of operations that basically require a cybersecurity team of a dozen or so people working 24/7 is a shot in the foot. This policy must be set in the proper context. If someone is unsure about how to approach it, we offer a short guide for non-governmental organizations on protecting themselves in various areas. In the context of email, backup, websites, access to applications, and similar issues.
What steps should we take in regard to our internal policy?
When creating a policy, we should ground it firmly in the context of our organization and our capabilities. We shouldn’t include things just because a consultant advised us to or because we think doing something often will be enough.
When a social organization creates a policy, it may include statements such as: “If a vulnerability is discovered in the IT system, it must be removed within 24 hours.” Well, if someone finds a bug on Saturday morning, there is little chance that it will be fixed by Sunday morning.
I have a great comparison between organizations and banks. We’re talking about financial institutions, so these are serious issues with much greater risks. And the procedures in banks are, for example: “if a vulnerability is discovered, it should be removed by the end of the next quarter after the quarter in which it was discovered.” Is there a procedure? Yes, there is.
Once, we found a vulnerability at one of the banks, and the bank responded that it would be removed next year. And we’re talking about a bank that we all know. It functions, and somehow it works. Someone had to clarify this, stating that the potential consequences of this error are not significant, so I am not criticizing the bank, but rather pointing out their perspective. There is no point in tightening the screws, especially if we don’t know how to do something.
The first thing an organization should do when developing such a policy is to find someone locally who will be able to work with them, so that they can cut through some of the technical aspects and make suggestions on how things can be done. If we are in a place where, for instance, there’s a university, it’s worth approaching any technical faculty or wherever someone is teaching IT or telecommunications, and saying that you’re looking for a student whom you’d be happy to pay a small fee to help out your organization.
Building local networks is very important. People need internships to gain experience and establish a temporary foothold. We don’t have to hire a professional for 25,000 zlotys a month. We can do it differently, and it will still take us in the right direction in terms of security.
***
Maciej Broniarz: Speaker with many years of experience, academic lecturer, IT security consultant. Since 2010, he has been a lecturer in Computer Forensics at the Center for Forensic Sciences at the University of Warsaw. He has conducted numerous lectures and training courses on cybersecurity, including for the Polish Financial Supervision Authority, the Warsaw University of Technology, the Faculty of Mathematics, Mechanics, and Computer Science at the University of Warsaw, NASK, and the Warsaw Bar Association. He is valued for his extensive knowledge, rich practical experience, and ability to easily convey knowledge and explain even the most complex content in an accessible way. During his professional career, he has headed, among others, the Computer Networks Department at the University of Warsaw and the CERT PLIX team. He is an expert in cybersecurity and computer forensics, cooperating with, among others, the law firms Leśniodorski, Ślusarek i Wspólnicy, Pietrzak-Sidor, and Wardyński i Wspólnicy. He cooperates with the Bronisław Geremek Foundation and the Helsinki Foundation for Human Rights in R&D projects related to combating cybercrime. He is a member of the Polish Criminalistics Association.