In almost every organisation I’ve worked with, I find the same pattern.
Good intentions.
Strong programmes.
Committed staff.
And weak digital hygiene.
Cyber hygiene is the set of basic practices that keep an organisation safe online. Yet many NGOs still treat it as optional.
The common weaknesses
These are the issues I see most often:
- Shared email passwords
- No backup system
- Old staff still accessing systems
- No device security policy
- Free software with hidden risks
- Unsecured websites
- No incident response plan
None of these are advanced problems.
They are basic.
Why it keeps happening
There are three main reasons:
- Security is seen as “IT work”
It is pushed to one person instead of being shared. - Budgets ignore digital safety
Security is treated as an extra, not a necessity. - No leadership ownership
If leadership doesn’t care, staff won’t either.
The cost of weak hygiene
Poor cyber hygiene leads to:
- Lost donor data
- Compromised accounts
- Reputational damage
- Stolen reports
- Blackmail risks
- Operational shutdowns
And recovery is always more expensive than prevention.
What strong NGOs do differently
Secure organisations do a few simple things well:
- They use password managers
- They enforce two-factor authentication
- They train staff regularly
- They document access
- They test backups
- They review risks annually
No magic. Just discipline!