Norwegian Refugee Council leverages Okta for Good cyber scheme

Cyber challenges for NGOs

Collectively, charity organisations face huge risks from cyber criminals and other threat actors. NGOs often run their IT estates on a shoestring budget and their volunteer workers don’t always understand the need for good cyber hygiene, leaving them open to financially motivated cyber criminals.

Additionally, NGOs with interests that conflict with hostile governments may face targeted interference from nation-state hackers whose employers they have crossed. In the NRC’s case, these include both nation-state threats and crossfire from cyber warfare, which Galli has seen in both Gaza and Ukraine. Realistically, he says, the NRC cannot do much to protect itself from such threats, so here it falls back on its security providers – such as Okta. At the same time, the NRC also faces the same run-of-the-mill threats that smaller NGOs and businesses see.

“These could be opportunistic attacks, for example, our staff falling for phishing emails … giving away credentials or downloading malware, [so] we could have portions of our workers, either individuals or groups, being at risk,” says Galli

“We are not a small player and therefore we are also a target of fraud and scam attacks. We are – as all companies are – potentially victim to internal mistakes.

“These are the broad cyber security challenges. I would add that we do this in the context of conflicts where poor, or no, infrastructure exists – we work in countries where at times of conflict governments switch off or strongly control the internet. We have to operate in that environment – we may have no power grid, so we rely on generators or solar, we rely on satellite connectivity, which has high latency and low bandwidth.”

‘Do no harm’

The NRC’s work with governments also puts it at risk of targeted intrusion by malicious actors seeking to access government officials. And of course, its work with refugees, who having lost their homes and livelihoods are highly vulnerable people, and may also be dissidents wanted by unpleasant regimes, means its data protection practices must be unimpeachable.

“Okta for Good has helped us develop principles and training material for our staff around data responsibility. For us, responsibility goes beyond data protection,” explains Galli.

“That responsibility, in a few words, is to do no harm in a digital way. ‘Do no harm’ is a principle introduced in humanitarian work which means that whatever you do, you must not add to the harm that has already been felt by the people in need.

“This is even more important when we apply digital to contexts where people are not digitally native, or their maturity or understanding of the use of digital tools may be non-existent.”

“Okta for Good has helped us develop principles and training material for our staff around data responsibility. For us, responsibility goes beyond data protection”

Pietro Galli, Norwegian Refugee Council

Galli relates an experience in what is now South Sudan back in the 2000s: “There’s no electricity [but] there’s a little church compound with a little internet café, and a woman with a little baby on her back, she doesn’t even have shoes, is invited to come to speak to a relative.

“She doesn’t know what that means but she comes anyway to this little building which has a generator and a satellite connection. She sits down in front of a computer, that she has never seen before, and suddenly there comes the voice of a relative who has left and gone to the US. That is the context in which we operate – she had no clue of what the technology was.”

Of course, things have moved on apace since then. More of the NRC’s work has gone digital and this means it must take on more responsibility if it is to provide help to people at their lowest ebb. Or, as Galli puts it: “We have the power. It’s an uneven relationship, and we have to acknowledge it and be very conscious about it.

“But we also operate in highly digital contexts. In Ukraine, for example, after the onset of the invasion, we used completely online, digital tools to register over half a million refugees through chatbots and two-way comms provided by some of our other tech partners. That was the first time we did it at that scale, and it allowed us to quickly distribute cash through the banking system.”

Okta for Good

The NRC’s overall IT journey is understandably very different from that undertaken by a private sector organisation. As Galli puts it: “I wouldn’t say we were an overhead, but we’re definitely not the main investment area. If you compare us to any other business, the amount of money spent on technology is significantly lower.”

Okta, he explains, allows the organisation to do more better and quicker with its limited resources under difficult circumstances without having to invest significant sums, allows its staffers to save time in repetitive IT tasks and focus on their vital efforts around the world.

But it goes further than that. “When you’re talking to Okta, it’s not just a commercial conversation that we’re having. Okta is committed to understanding our mission and what we’re trying to do,” says Galli. “I went to Oktane [Okta’s annual customer conference] and was on stage; we were given the opportunity to tell our story. That’s an important platform.

“Okta runs a number of programmes. One that we have applied to in the past is a technology leadership programme; the other was a grant opportunity where we pitched our data responsibility ideas and we got a grant to develop a number of trainings on data responsibility that we agreed with Okta to put out for the sector.

“The idea is that we can use money from Okta to do things that the NRC needs, but also that others in the sector need, and we make those freely available.

“Okta for Good helps you to be able to do things that you would like to do, but that you will never be able to with your operating costs. It’s a little lump investment, but it has to be targeted to a specific piece of work that you can carry out,” says Galli.

So far, the NRC has created 24 training videos, ranging in their focus and complexity, some basic and some more advanced looking at issues such as working with the General Data Protection Regulation (GDPR). It is working on making these available in other languages, including three of the UN’s working languages, Arabic, French and Spanish, a process that should be complete by the middle of 2025.

Reflecting on the NRC’s relationship with Okta, Galli urges other non-profits not only to work on their cyber security, but to seek help and guidance from peers.

“If you’re a non-profit starting on this cyber journey, reach out to us, we’re open and ready to share, and I think there’s a good community out there too for that,” he says. “It can look daunting, but for us it’s been an important journey.”

Commercial relationship

The relationship is not all about grants and cyber advocacy – the NRC and Okta also became commercial partners shortly after Galli took up his role as CIO.

In 2015, the NRC was mostly operating an on-premise IT infrastructure, but the cloud era was slowly dawning on it, which is where its interaction with Okta began.

The NRC was already working with NetHope, a Washington DC-area organisation that connects non-profits with tech companies, and through that connection Galli first learned that some of his peers had adopted Okta’s technology.

The two organisations embarked on a proof-of-concept, the first one failed but subsequent attempts went better, and so from a slightly rocky start the NRC embarked on a long-term relationship with Okta, at first migrating about 1,200 users across four applications. This has grown to 10,000 Okta accounts and more than a hundred applications in harness as a 100% cloud-driven organisation.

“What Okta has allowed us to do is to scale smoothly and fast,” says Galli, “and in the past couple of years, we’ve realised other benefits.”

For example, in 2020, Okta supported the implementation of a global human resources system designed to oversee the entire lifecycle of an employee, from onboarding and initial setup to winding things up when people move on, generating significant efficiencies and ensuring appropriate security safeguards throughout the employee lifecycle.

As Okta is an IAM house at heart, this means all the NRC’s applications are protected by multifactor authentication (MFA) as a default, but Galli has also used Okta to apply MFA policies in different contexts given different situations. This could be biometrics for desk-based staffers in safe environments, or something more basic but equally resilient for those in the field with limited connectivity.

“Because of the environments where we work and the breadth of contexts, that has been very helpful, and it can all be managed centrally from a small team – that’s also important,” he says. “It does contribute to lifting our security posture.”

Looking ahead, he says, the NRC is trying to work more with local partners on the ground that may have better access that it does, and can help expand its reach. As more of this work will be digital in its nature, Galli hopes to leverage Okta to help to work with others in a way that is both cyber secure and cost-effective.

“That’s a challenge that we look forward to working out with Okta,” he says, “extending the security we get from them to our partners in challenging and economically constrained environments.”