Most local civil society organisations vulnerable to cyber risks – Report

Civil society organisations in the Macau SAR remain vulnerable and exposed to cyber risks and should partner with local authorities and private service providers to enhance their cyber resilience capacities, a report by researchers from the United Nations University Institute in Macau shows.

Titled ‘Civil Society Organizations’ Cyber Resilience – leaving no civil society organization behind in cyber resilience’ the research was carried out by United Nations University researchers Christy Un, Mamello Thinyane and Debora Christine.

The report details an investigation of the cyber resilience posture of CSOs in the local context of Macau SAR and finds that the organisations are operating in the context of increased cybersecurity vulnerability and limited resources and capacity for cyber resilience, which has been exacerbated by the COVID-19 pandemic.

CSOs are defined in the report as civil society or volunteer-run associations, social movements, and the non-profit sector.

‘In general, CSOs continue to experience marginalisation within the cybersecurity domain as far as threat intelligence reporting, direct technical support for incident handling, and capacity-building is concerned,’ the report points out.

‘As a result, most CSOs adopt adhoc and haphazard cybersecurity management practices, further perpetuating their precarity and vulnerability’

The increased cybersecurity risks by CSOs was considered a global trend arising from a higher reliance on digital technology for their missions and operations, with a report from the Institute for Critical Infrastructure Technology (ICIT) cited as indicating that 47 per cent of international NGOs or non-profit organisations surveyed did not have cybersecurity frameworks in place.

Macau Computer Emergency Response Team Coordination Centre

According to the data from the Macau Computer Emergency Response Team Coordination Centre, a significant proportion of cyber threats in Macau are attributed to phishing attacks (37 per cent) and active attacks (32 per cent).

The centre also received around 1,600 cybersecurity risk alerts per day on average in
2020, demonstrating how the pandemic led to a higher number of cyber attacks and crime.

Some high profile cyber-attacks included the hacking of the Health Bureau online platform which resulted in the interruption of the service for supplying masks to residents and a ransomware attack against the Macau Portuguese School (EPM).

The most common cyber incidents encountered by local CSO organisations included disinformation, password mismanagement, physical security violations, hardware failure, malicious software (viruses, spyware or malware), software engineering attacks (fraudulent emails or being redirected to fraudulent websites”) and computer crashes.

The report underlined that such attacks highlighted how cyber incidents can affect and disrupt the regular operations of institutions and organisations and the importance of cybersecurity capability and cybersecurity support ecosystem for enabling an effective response to cyber threats.

Since CSOs are currently not considered critical infrastructure operators under the Cybersecurity Law enforced in 2020 they are not subjected to heavy fines and penalties for failing to put in place cybersecurity measures or notify authorities when they are the victim of an attack.

‘In general, and congruent with the global situation, there is a lack of awareness and
investment in cybersecurity by local funders and CSOs,’ the report adds.

A survey carried out by the researchers to local CSOs showed that almost 84 per cent of the respondents recognised the importance of having a cybersecurity plan in place however, these perceptions do not translate into practice and are not reflected in the perceived cybersecurity posture of the organisations.

United Nations University Institute in Macau

The same survey showed that 73 per cent of the organisations do not have measures in place to identify cybersecurity risk and less than 10 per cent undertake risk assessment that covers cybersecurity risks.

‘More strikingly, only a small fraction of the organisations (14 per cent) have processes to understand the risks they face, to identify critical organisational resources and impact of incidents, and to put in place mitigation strategies.

The report underlined that ‘notably’, the Social Service Facilities’ Regular Funding Budget Guidelines does not mention investment in cybersecurity or digital technology, except for the procurement and disposal of fixed property from public departments, private donors, and individual organisations.

Furthermore, cybersecurity is not indicated in the section on organisational management mechanisms, which cover the management of organisations operations, human resources, finance, and reputation, except for a call for organisations to establish a guideline on the use and protection of sensitive data.

‘Overall, there is limited support for CSOs within the local context as far as direct
technical assistance, capacity-building, and targeted funding instruments are concerned,’ the report adds.

Most of the organisations were implementing cybersecurity management at the basic level of maturity through ad-hoc practices and approaches or using systems that are
‘old and outdated’.

As an example, the report notes that some CSOs rely on free software and security
applications, such as those available to nonprofits for free, which can expose them to
potential cyber threats.

Most organisations also do not have dedicated IT personnel to actively perform
security monitoring and incident response and mainly depend on staff familiar with IT within their organisations and affiliate organisations or on outsourced IT support from service providers and contractors.

Only 30 per cent of the organisations indicated that they received support from the
government for compliance with cybersecurity-related regulations and legal
requirements and almost half were not aware of having received support from the government.

In the end, the report recommends that governments, CSOs, and private service providers coordinate capacity-building, knowledge-sharing, and cybersecurity resourcing, and undertake meaningful partnerships towards enhancing not only CSOs’ cyber resilience but overall societal cyber resilience.

CSOs should undertake cyber resilience management training for senior management, adopt appropriate cyber resilience management models, allocate and prioritise funding for cybersecurity, undertake targeted organisation-wide cybersecurity capacity-building, and leverage external support and partnerships for cybersecurity.

At the same time, the Macau government should provide specific support for CSOs and prioritise cybersecurity funding, cybersecurity capacity building and threat intelligence research and communication.

The report noted that although most CSO organizations received government funding they are required to use their budgets in conformance with the government’s funding criteria, which does not prioritise nor provide specifications on cybersecurity expenditure.

‘For example, one of the guiding principles from the Social Welfare Bureau regarding the procurement of IT assets, in the words of the CSO staffs interviewed, is that ‘the bid belongs to items with the lower price(價低者得)’ – this foregrounds cost-effectiveness as opposed to security of the IT asset as the most important criterion’.

The United Nations University Institute in Macau is a research institute that conducts UN policy-relevant research and generates solutions, addressing key issues expressed in the UN 2030 Agenda for Sustainable Development.