CyberPeace Builders

Our Organization

CyberPeace Institute

What is the name of your solution?

CyberPeace Builders

Provide a one-line summary of your solution.

The CyberPeace Builders program is an innovative solution to the main obstacle to nonprofit cybersecurity: the shortage of cyber talent.

In what city, town, or region is your solution team headquartered?

In what country is your solution team headquartered?

• Switzerland

What type of organization is your solution team?

Nonprofit

Film your elevator pitch.

What specific problem are you solving?

In today’s volatile international environment, nonprofit organizations play a central role in providing humanitarian relief and protecting the human rights of over 1 billion vulnerable individuals worldwide trapped in conflict, natural disasters, or economic hardship. However, the problem is that as nonprofits collect and retain more beneficiary data, receive donor funds through digital channels, and manage key operations via internet-connected systems, their vulnerability to cyberattacks has considerably increased in the past few years. This is due to the fact that nonprofits come across as cyber-poor and target-rich to cyber criminals. Cyber-poor as they are an easy target from a technical perspective, and target-rich as the sector raises over $1 trillion annually to deliver programs that bring life saving assistance and protection to people in need.

While cybersecurity is a problem for all industries, it has become a particular challenge for nonprofits. From ransomware to fraudulent access and data leaks, cybercriminals have become increasingly sophisticated and the threat landscape more diverse. In addition, these cybersecurity challenges are accompanied by a workforce shortage. Nonprofits operate on well-defined and often limited budgets, dedicating most of their funds to fulfilling their mandates. This makes it difficult for nonprofits to attract the cybersecurity talent needed to stay secure. Beyond material resources, one of the main challenges nonprofits face is that their leadership often lack the time – and in many cases the awareness – to carry out the extensive research necessary to implement robust cybersecurity governance measures aligned with their organization’s operational reality. Furthermore, few donors require the organizations they support, and allow them to invest time and funding on cybersecurity issues.

The digital attack surface of NGOs has been growing considerably in the past decade. More precisely, the COVID-19 pandemic has forced many NGOs around the world to digitalize their operations in order to ensure continuity. During the pandemic and in its aftermath, digital development was not only a necessity, but it became part of the NGOs’ strategy, introducing a permanent change in the way they work, communicate, fundraise, or deliver services. Nonetheless, while digitalizing their services, very few NGOs have developed their own products and platforms. Instead, most of them use third party services to assist them with the digital tools they require, exposing them to a whole set of threats and vulnerabilities.

What is your solution?

As a solution to the aforementioned problem, the CyberPeace Institute launched the CyberPeace Builders program in October 2021: a network of cybersecurity experts with a wide range of profiles, both technical and non-technical, employed by local and international companies, who volunteer their time to help nonprofits enhance their digital resilience against cyber threats. More precisely, nonprofits and corporate volunteers (referred to as  “Builders”) that enter the program are invited to join a secure online cooperation platform hosted via Mattermost. 

Mattermost is an open source communication platform, similar to Slack or Discord. The online platform is composed of two hubs - the Builders Space & the CyberPeace Café. These hubs act as central nodes where on one side nonprofits can access resources and events, ask questions, and flag cyber incidents (the CyberPeace Café), while on the other volunteers can share ideas, synchronise, and select missions (Builders space). In addition to these hubs, each nonprofit organization has access to it’s own channel, while the volunteers can select their engagements through a board that is constantly updated by the program team. Once a volunteer selects their engagement – or mission – they are automatically added to the specific channel of the nonprofit. The platform enables both nonprofits and cybersecurity experts to engage in active community dialogue, while strengthening their cybersecurity.

To assist nonprofits to identify their needs and help in the creation of concrete missions, usually ranging between 1 to 4 hours, the CyberPeace Builders program team has developed the General Cybersecurity Assessments (GCSA). The GCSA enables a holistic and in-depth evaluation of the nonprofit's entire cybersecurity infrastructure, networks, applications, processes, and practices. This includes identifying both technical and human-related vulnerabilities. Once the assessment is completed, the nonprofit receives a short, 2-page report containing a color-coded matrix of the 9 categories mentioned above and some initial mission recommendations.

This self-assessment is completed by all nonprofits upon joining the program. It consists of 30 different questions touching upon essential cybersecurity elements, divided into 9 concrete categories, as follows:

1. Assets and user management

2. Endpoint and network security

3. Remote access and cloud services

4. Backup

5. Public-facing digital perimeter security

6. Multi-Factor Authentication (MFA) and password management

7. Cybersecurity awareness

8. Dark web and active logs monitoring

9. Governance (policies)

The 30 questions of the assessment can lead to a total of 34 comprehensive missions, separated into three categories: People, Technology, and Processes.

As a result, nonprofits map their cybersecurity needs and maturity level, while gaining access to industry-grade expertise to strengthen their internal capabilities and to upskill staff. This type of actionable and concrete cybersecurity assistance provided through by the CyberPeace Builders is unique, as it empowers nonprofits not only with access to the workforce they are missing, but also with the resources and tools necessary to demonstrate that they are taking their cybersecurity seriously – which builds trust with donors and beneficiaries of their services, protects sensitive data, and can lead to long-term budgetary savings and better investments.

Who does your solution serve, and in what ways will the solution impact their lives?

In the past few years, hundreds of NGOs have started to report being the victims of cyberattacks, with many research studies indicating them as the second most targeted sector. It is believed that only 1 in 10 nonprofits offer cybersecurity awareness training to their staff, only 1 in 5 have a cybersecurity policy, and 1 in 4 nonprofits have the resources and knowledge to monitor their network against threats. This is due to the fact that, since most nonprofits operate on limited resources, it is difficult for them to attract the required cyber-talent that could implement the relevant security controls for their organizations. Along these lines, a recent study conducted by the Institute in 2023 amongst Geneva-based nonprofits, highlighted that 56% of NGOs do not have a budget allocated for their cybersecurity needs, while 70% of them do not believe to have the knowledge, skills, and resilience necessary to respond to a cyberattack. 

It is this lack of resources, knowledge, and capacity that render nonprofit vulnerable to cyber threats – but it is exactly on these aspects that the CyberPeace Builders program proves its added value as an adequate solution. The CyberPeace Builders program serves nonprofits around the world to enhance their digital resilience. More precisely, the program empowers the staff of nonprofit organizations to continue the delivery of their life saving services to their own beneficiaries without the fear of the harm caused by cyberattacks. Their profiles vary greatly, ranging from C-level professionals, to programs or operations staff, as well as IT personnel in some organizations. 

The program provides access to nonprofits to different cybersecurity resources specifically designed keeping their operational realities and needs in mind; it focuses on capacity-building and on equipping nonprofit staff with the right behaviours, skills, and best practices to spot potential cyber threats, while connecting them with cybersecurity experts that deliver trainings, vulnerability scans, or help these organizations better monitor their networks. For example, in 2023 alone the program delivered 114 awareness missions to over 60 NGOs equalling approximately 240 hours of capacity-building. 

How are you and your team well-positioned to deliver this solution?

The CyberPeace Builders program is designed and implemented by the Operations Team of the CyberPeace Institute. The Team has 8 Full-Time Employees and 1 Part-Time Employee. The Team is suitable to carry out the work thanks to its experience with the program since its early, incipient phase in 2021. We are professionals coming from different backgrounds, with a range of skills from inside and outside the cybersecurity industry, such as the security sector, humanitarian world, or private companies. We have initiated the CyberPeace Builders program with a clear understanding of the problem and a strong ambition: to make a difference and have an impact on an underserved community of vital importance to billions of vulnerable individuals around the world.

Since the beginning of the program, we always aimed to have a regional approach and to build trust with the nonprofits we serve. In this case, our regional advisors on the ground (one colleague in Geneva, Switzerland for Europe and another colleague in Nairobi, Kenya for Africa) act as liaisons between the corporate volunteers and supported nonprofits, thus providing a localized and contextualised approach that ensures support is adapted to the needs of each nonprofit. Furthermore, we have done extensive research and testing to position our CyberPeace Builders programme and platform. As a result, we are the only ones providing cyber assistance to nonprofits for free, with a financially sustainable solution based on corporate social responsibility (CSR). 

During the past three years, the program evolved based on the feedback received from the nonprofit organizations we serve. We are a young, motivated, and human-focused team; our aim has always been and will be to understand the needs of the community we serve by directly connecting with them. For example, the General Cybersecurity Assessment was designed after an exploratory process of nonprofits’ cybersecurity needs, in order to achieve a tool that is aligned and respects both industry standards (NIST Cybersecurity Framework) and nonprofits’ operational realities and needs. We also gather continuous feedback from those we serve: after every engagement, volunteers and nonprofits are invited to submit a feedback form to let us know how we can improve. We have a target to keep satisfaction above 80%, which we have always met; for example, the current satisfaction rate for nonprofits is at 95%.

Which dimension of the Challenge does your solution most closely address?

Which of the UN Sustainable Development Goals does your solution address?

• 9. Industry, Innovation, and Infrastructure
• 10. Reduced Inequalities
• 11. Sustainable Cities and Communities
• 16. Peace, Justice, and Strong Institutions
• 17. Partnerships for the Goals

What is your solution’s stage of development?

Please share details about why you selected the stage above.

We are very fortunate to serve 270 nonprofits organizations coming from different parts of the world, with assistance from more than 750 volunteers. More precisely, the program currently supports organizations in over 50 countries, themselves having operations in more than 120 countries across Europe, Africa, Middle East, Latin America, Oceania, and North America. The nonprofits we serve are active in multiple sectors, such as humanitarian assistance, sustainable development, peacebuilding, mediation, environment, healthcare, reproductive rights, social inequalities, poverty, children, youth education and empowerment, human rights, justice, water, food, migration, demining, women rights, as well as organizations working to prevent radicalisation, violence, misinformation, and polarization. These nonprofit organizations serve hundreds of millions of direct beneficiaries through their programs, thus, explaining the need for them to strengthen their cybersecurity resilience.

Below you will find a breakdown of our achievements this far:

• 750 cybersecurity experts enrolled as volunteers. 

• 270 nonprofits actively receiving free cybersecurity capacity-building. 

• A total of 770 missions were created to assist nonprofits with their cyber needs, out of which 475 missions were delivered amounting to more than 1,500 hours of free cybersecurity capacity-building. 

• A General Cybersecurity Assessment (GCSA) was developed based on NIST Cybersecurity Framework to meet the need of nonprofits to access a comprehensive self-assessment process. The GCSA now proposes a total of 34 cybersecurity assistance missions to NGO.

• More than 50% of the participating nonprofits have proven enhanced cyber-resilience levels after the first 6 months in the program. Progress was monitored and evaluated after nonprofits completed a second General Cybersecurity Assessment. 

• Development of a 3-hour, self-paced training that supports the volunteers participating in the CyberPeace Builders by enhancing their soft skills or consolidating their knowledge on the cyber needs of NGOs with a certificate at the end. 

• Received the Geneva Centre for Security Policy Award in Innovative Global Security in 2022.

• McDermott Will & Emery’s Global Privacy & Cybersecurity team provided an examination of existing cyber volunteer programs, flagging the excellence of the CyberPeace Builders program. Report is available here.

• The CyberPeace Builders model has been successfully selected by the US Cybersecurity and Infrastructure Security Agency (CISA) as a reference model to protect high-risk communities. More information available here.

Why are you applying to Solve?

We are applying to Solve to receive assistance in overcoming financial, legal, and market barriers in our endeavour to expand to the United States (US). In the US, 11% of the population lives under the poverty line. Food banks, shelters, nonprofit healthcare organizations are vital to these vulnerable individuals. Another equally pressing issue is exacerbating this situation: the severe talent shortage in the cybersecurity industry. While there are 1.1 million cybersecurity professionals in the United States, over half a million positions in the sector remain vacant. For nonprofits with limited budgets, hiring or retaining cybersecurity experts that command high salaries is a significant challenge. Projections indicate that the talent shortage may increase to 3.5 million by 2030 worldwide, leaving nonprofits in a precarious situation with minimal hope of receiving the protection they urgently need. 

On our side, we are actively pursuing to expand our services and presence in the US. We are currently working with close to 20 nonprofits based across the country and active in sectors such as healthcare, reproductive rights, social inequalities, and human rights, to mention a few. In addition, the US Cybersecurity and Infrastructure Security Agency (CISA), has selected the CyberPeace Builders program as a reference model to protect high-risk communities in the US. Becoming part of Solve would be a massive enabler for us to bring the CyberPeace Builders to a new geographical area: besides assisting us in understanding legal requirements to open an office in the US, this opportunity would allow us to explore new financial leads, to remove market barriers, and to empower even more nonprofit organizations to strengthen their cybersecurity. Moreover, we are looking to expand our services to social enterprises as next step of our growth and we believe we could greatly benefit from Solve's expertise in this area.

Here at the Institute, we strongly believe that collaboration is the key to a better and more secure future - this belief is being materialised through the CyberPeace Builders program. Our ambition is to connect every cybersecurity professional to every nonprofit in the world. To do that, we need to scale up our existing network from hundreds of volunteers and NGOs, to thousands and more. To support this growth, we have already invested in our data pipeline and dashboarding capabilities for business analytics purposes. Solve would provide us with a platform to bring our capacities to the US and make them known across different communities, which in turn can lead to new funding or collaboration opportunities with like-minded organizations.

In which of the following areas do you most need partners or support?

• Financial (e.g. accounting practices, pitching to investors)
• Legal or Regulatory Matters
• Public Relations (e.g. branding/marketing strategy, social and global media)

Who is the Team Lead for your solution?

Stéphane Duguin