Ask yourself, what are the main functions of a state? A state, defined as the principal governing entity over a given population, is typically tasked with distributing justice and ensuring its citizens are protected from internal and external threats. They are also the main provider of social and welfare services to their citizens. These services are normally funded by taxes and address a range of issues, from healthcare to education. However, when a state is unable to fund or operate various social programs, non-governmental organizations (NGOs) can provide a temporary solution. NGOs operate such services when, among other reasons, there is unsustainable corruption, poor administration, or severe conflict. Sadly, with the rise of civil and international conflicts in the past decade, more states are unable to provide these services simply because of the dangerous situation and consequences stemming from the violence. NGOs, however, still enter these conflict zones to provide essential services where the state cannot.
Unfortunately, both “hard” military targets, such as fortified positions and arms depots, and “soft” civilian areas, including hospitals and energy infrastructure, are indiscriminately targeted in modern conflicts. This places NGO staff and operations in increasingly challenging and risky environments. NGOs, therefore, must address five key security tenets to protect their staff and operations: cybersecurity, physical security, risk management, staff preparedness, and organizational crisis procedures.
Now, you may ask why anyone would target NGOs who are solely trying to help innocent civilians caught in a conflict. While there are several reasons, the most common are perceived allegiances with rival factions in the conflict, extortion through theft or kidnapping, ideological differences, depriving an “enemy” civilian population of vital supplies and services, or simply because of who the NGO’s donors are. While each NGO’s security needs will differ depending on their operational locations, mission, donors, and staff size, this article aims to highlight the basics of each security foundation and the best practices for each category.
Physical Security
When addressing physical security, there are three main methods an NGO can take: acceptance, protection, and deterrence.
NGOs prefer acceptance because of the inherent protection achieved by built-in integration with the community they are serving. Acceptance allows the NGO to achieve independent, impartial, and neutral operations, all fundamental elements for any NGO work. In an interview with Philip Hindmarsh, the Director of Global Security at Chemonics, an international development consulting organization, he stressed the underlying push by NGOs to gain acceptance.
To gain acceptance, NGOs must connect and network within the community at all levels, including through what Mr. Hindmarsh calls “field liaison consultants” (FSCs), who act as local representatives. Such community engagement can substitute for the need for harder security measures because the NGO and the services they provide are known, trusted, and ingrained in the community. There are times, however, when acceptance does not work because of sudden or building differences in local perceptions or political intolerance of the NGOs.
This can result in either increasingly dangerous conditions for the NGO and staff or an outright ban on their operations. While NGOs may prefer to use acceptance as their primary mode of protection, they must be ready to implement either protective or deterrent methods when acceptance no longer works.
Protective measures can be associated with the hardening, or discreet alternation, of vulnerable positions, such as offices and transportation. Protection includes both overt and covert measures, ranging from fortifying physical locations to reducing exposure while in public. Yet these protective practices can isolate the NGO from essential community engagement, with domineering physical walls creating unseen barriers between the NGOs and the community they are trying to connect with.
Deterrence involves presenting a counter threat if attacked. These methods normally include the threat of sanctions, withdrawal of services, and armed protection. Deterrent measures require the backing of an entity who can enact the necessary counter measures if the NGO is attacked. Such alliances with governments, established militaries, and armed groups place the NGO in a precarious position, as it threatens their image of impartiality in a conflict. As such, deterrence is saved as a minor or last resort security method.
The NGO now faces the challenge of implementing its chosen strategy, regardless of the method it decides to use. While many NGOs have in-house procedures, when it comes to establishing protective or deterrent strategies, NGOs will hire private security consultants, or PSCs. PSCs can provide physical security and relevant expertise for protective and deterrent measures. They also can, for example, work as front-line diplomats, securing NGO transportation routes through diplomacy. PSCs provide essential protective services where NGOs cannot, ranging from providing physical security to guiding staff training and risk assessments.
While no one method fits all situations, each approach has its justifications and drawbacks. Although NGOs prefer acceptance because of the community engagement and protection it provides, it is not always guaranteed. When acceptance is impossible, NGOs enact either protective or deterrent measures with the help of PSCs. Ultimately, each method enables NGOs to persist in providing vital services in conflict zones.
Cybersecurity
NGOs can face cyber attacks aimed at observing or disrupting their operations. Mr. Hindmarsh summarized the most common formal actors conducting cyberattacks against NGOs as both host and rival national security and intelligence services who are keen to know more about the NGOs’ operations. Rival states conduct such attacks to gain leverage or to spread disinformation. Host states can attack to gather data on local staff, citing potential conflicting alliances. For example, this is the justification offered by Israel and their recent push for local staff lists of NGOs operating in Palestine. Non-state actors comprise ideologically motivated hackers and armed groups looking to extract data on local staff and operations, either to hold ransom or to spread to other malicious actors.
The most common cyber attacks are phishing campaigns targeting local staff. The best way to address cybersecurity demands, according to Mr. Hindmarsh, is by placing “cybersecurity at the enterprise risk management level…[to] protect your most sensitive data”. Additionally, decision-making authority should be held by a small group of experts. In addition to placing cybersecurity at the strategic level, he recommends “minimizing data collection, segmenting where that data is stored, […] restricting access based on roles, [and] staff training and awareness.” These measures promote better cyber governance and risk ownership, thereby minimizing the risk and spread of an attack.
Risk Management
There is a simple risk formula used by the NGO industry that describes risk as the product of threat multiplied by vulnerability, or simply Risk = Threat x Vulnerability. “Risk” is defined as the probability of a specific negative event catastrophically affecting NGO staff or operations. “Threats” are events or actions directed at the NGO and are categorized as either direct, including targeted violence, or indirect, such as supply chain breakdowns. “Vulnerability” is the degree of exposure to a given threat. When focusing on a specific risk, the process is called a risk assessment.
Risk management simply considers the sum of all risk assessments. Once the risks have been quantified, the NGO can begin to draft mitigation procedures to reduce their vulnerabilities or build crisis management mechanisms to prepare if a risk becomes a reality. Some NGOs, however, are reluctant to leave their mission unfinished, even in the face of violence. This leads NGOs to balance the ethical dilemma of keeping themselves safe with the loss the local community would feel with the sudden withdrawal of their help and services. This dilemma translates into different risk thresholds across the industry, meaning each NGO has its own acceptable risk threshold, with some opting to not operate in a conflict because the risk is too high.
Risk assessments are situational, and there is no one rule that fits all for NGOs. However, a common theme these assessments have is their foundation in qualitative data, which is collected through interviews, checklists, and incident reports. This data, however, is best collected “on the ground,” meaning local staff must conduct and analyze these reports themselves. Therefore, to create quality risk assessments, local staff must be adequately trained on how to gather and analyze such data. Gathering and analyzing realiable data ensures the NGO can paint an accurate picture of the risks they will face if they operate in a given conflict zone.
Staff Preparedness
In addition to developing local employees to help enhance NGOs’ risk assessments, staff training and preparedness give local staff the knowledge and ability to avoid dangerous situations, therefore improving NGO staff security. However, a 2010 research review focusing on the security policies of 20 NGOs operating in conflict zones found many NGO staff felt there was inadequate staff training on how to keep themselves safe. When asked about this issue in today’s environment, Mr. Hindmarsh recommends NGOs emphasize training on “situational and context awareness for every single staff member …incident reporting… digital hygiene…safe haven, evacuation, and relocation procedures… [and] communication redundancies.” Lastly, there should be either a program or operational-level training manager who updates the local team on security training and directives from the NGO headquarters.
Additionally, Mr. Hindmarsh stressed staff training on how to strategically communicate about the program by providing the minimum amount of information needed to safely navigate through an interaction. Verification points, for example, represent one of the riskiest situations for NGO staff, as they can be detained simply because of the organization they work for. According to Mr. Hindmarsh, to avoid detention or risk interactions, NGO staff must be trained to give as little, yet necessary, information to safely pass checkpoints and other interactions with armed factions.
Both staff and operational security are essential to continuous and safe NGO operations. While staff preparedness focuses on protecting NGOs’ vital human capital, adequate organizational procedures safeguard the NGOs’ operations when faced with the possibility of major negative disruptions.
Organizational Crisis Procedures
An NGO can take all necessary measures to protect itself from major disasters targeting its staff or operations, yet it must have robust organizational crisis procedures in place if an identified risk becomes reality. Such durable procedures are made possible with well-planned and codified responses and appropriate staff, resource, and infrastructure allocations.
For example, if an NGO is faced with a ransomware attack, they must plan for whom the crisis response team consists of, where they will work during the crisis, how they will communicate and travel, and the necessary funding for the crisis team’s operation. While even the best-laid plans fall apart, codifying the fundamentals of how to assign and supply a team of crisis stakeholders and experts guarantees the NGO can appropriately reply to an emergency when it emerges.
Conclusion
NGOs provide necessary, yet temporary, essential services in places where the state cannot provide for their citizens. This drive to provide, however, also draws NGOs to conflict zones. Here, the state is vulnerable and unable to guarantee security for NGO staff and operations. Therefore, NGOs must look to their own security.
There are five security elements NGOs must consider: cybersecurity, physical security, risk management, staff preparedness, and organizational crisis procedures. Although NGOs can hire private security contractors for consulting, logistical support, and physical security, ultimately many of the necessary adjustments must be internal. For example, cybersecurity should be managed at the executive level, with more staff training and data management to prevent both state and non-state actors from accessing sensitive data. When addressing staff preparedness, there must be internal training and structures that clearly communicate best security practices to local staff in conflict zones. Likewise for organizational crisis procedures, internal policies must be written to allocate necessary crisis staff, resources, and infrastructure and allow flexibility in the responses. Individual NGO organizational culture and risk tolerances influence how they form their risk management strategy, as there is no universal risk baseline. Lastly, NGOs in general prefer to avoid hardening their operations with protection or deterrence methods, opting instead to become ingrained in the community they are serving through acceptance. NGO security requires a delicate balance between the NGO’s ability to protect their staff and operations and their ability to remain approachable and independent. The lessons learned serve as the general methods for addressing NGO security in conflict zones.
Additional Readings
Christopher Spearin: Humanitarian Non-Governmental Organizations and International Private Security Companies: The “Humanitarian” Challenges of Moulding a Marketplace, 2007
Haldun Yalcınkaya: The Nongovernmental Organizations–Military Security Collaboration Mechanism: Afghanistan NGO Safety Office, 2013
Elizabeth Rowley, Lauren Burns, and Gilbert Burnham: Research Review of Nongovernmental Organizations’ Security Policies for Humanitarian Programs in War, Conflict, and Postconflict Environments, 2013
