Cybersecurity for non profit organisation
Addressing the "dark side" of digitalization for NGOs. The target audience handles highly sensitive data but lacks the infrastructure of corporate entities, facing unique vulnerabilities that standard IT solutions cannot solve.
Year:
2025 – 2026
Category:
Service Design / UX Consulting
Client:
Centrum pro integraci cizinců (CIC)
Duration:
12 weeks
Location:
DaNang/Vietnam, Denpasar/Indonesia
Tools:
Miro, Notion, Figma, Google Suite, Typeform
Design process:
Design Thinking, Human-Centered Security
Wellbeing
Support
Mental Health
Experience
The project itself :
The context & Project scope
CIC (Centre for Integration of Foreigners) serves as a critical support hub for migrants in the Czech Republic. While the organization manages highly sensitive personal and legal data, it operates as a small non-profit with limited budgets. Unlike large corporations, CIC lacks a dedicated IT department. This creates a dangerous paradox: they hold high-value data critical to clients' lives, but rely on minimal resources to protect it.
Hypothesis:
The barrier to cybersecurity for local NGOs is not a lack of awareness, but a scarcity of accessible, tailored resources. Right-sized measures can protect client data without overwhelming the organization.
Goal:
To design and implement a sustainable security framework. The primary goal is to audit vulnerabilities and introduce effective data protection protocols that foster institutional trust.
My role:
Cybersecurity consultant / project lead responsible for the initial audit, risk assessment, and the end to end implementation of security policies and staff training.
Responsibilities:
Security audit & gap analysis
Stakeholder interviews
Risk assessment matrix
Data flow mapping
Vulnerability Scanning
Security policy design
Implementation roadmap
Staff training materials
Impact evaluation
Feedback loops
Setup the mindset
Discovery
& Mindset
As my baseline approach, I chose the Design Thinking methodology combined with the principles of Human-Centered Security. This approach helps me focus primarily on people—their needs, behaviors, and limitations. My goal is not purely a technical solution. I am interested in situations where a person might make a natural mistake and how to design measures that are meaningful, understandable, and encourage secure behavior.
Organisation selection: Why CIC?
Initially, I conducted unmoderated usability studies with several participants, who answered various questions about the app and shared their observations while interacting with the initial low-fidelity prototype.
After collecting the data, I analysed and synthesised the findings, ultimately identifying key themes and generating several insights.
The goal was to identify pain points that the user experiences with the app designs so the issues can be fixed before the final product launches.
Vulnerable Target Group:
Enhancing cybersecurity protects the clients themselves and fosters institutional trust.
Practical Need: saring:
As a smaller NGO, CIC lacks extensive IT resources, making it a perfect partner for implementing accessible security measures.
Local Availability:
Official collaboration was formalized to ensure project outputs will be practically applicable and beneficial in the real world.
Setup the mindset
User Research
& Audit
Before the primary stakeholder interviews, I formulated initial hypotheses regarding typical NGO vulnerabilities. I then created and distributed an entry audit questionnaire to understand CIC's actual maturity level in cybersecurity. This helped identify what processes were already in place and where the most critical gaps lay.
Identified pain points:
Password Chaos: Staff highlighted passwords as a major issue. There is no unified system for creation, storage, or sharing, leading to unsafe workarounds.
Missing Incident Protocols: There is no formal incident response plan. In the event of a cyber attack or data breach, the organization would face operational chaos.
Lack of Training: Employees and volunteers completely lack regular cybersecurity awareness training, making the "human factor" the biggest vulnerability.
Setup the mindset
Prioritisation & Design Challenge
MoSCoW Analysis Based on the audit responses, I categorized the identified security gaps using the MoSCoW method. This clarified what the organization must address immediately versus what can be planned for the future. The absolute "Must-Haves" were password management, staff training, and an incident response plan.
The Design Challenge:
"How might CIC strengthen its cybersecurity resilience when it lacks established processes for password management, staff training, and incident response, while simultaneously needing a simple way to handle asset management and cloud data?"
Setup the mindset
Ideation & Validation
Brainwriting & "How Might We"
To address the design challenge, I translated the core problems into "How Might We" (HMW) questions. Through brainwriting, I generated potential solutions focusing on simplicity and low barriers to entry. Ideas included introducing password managers with easy onboarding, creating a 1-page incident "cheat sheet," and designing simulated phishing exercises.
Validation Interview
Before finalizing the proposal, I conducted a validation interview with CIC management. The goal was to ensure the proposed measures aligned with their actual capacity. Together, we prioritized the Top 3 problems to solve:
Passwords and their management.
A security recommendation brochure for onboarding/outboarding.
A step-by-step guide in case of a cyber attack.
Setup the mindset
The Solution & Lean Canvas
Instead of overwhelming the NGO with complex corporate software, the solution takes the form of a tailored Digital Security Guide (based on the Cyber Compass framework).
Solution Architecture (Lean Canvas highlights):
Unique Value Proposition: Delivered as open data, allowing the organization to easily update the content in the future. It is highly practical and directly integrated into the employee onboarding process.
Key Metrics for Success: The number of staff/volunteers who receive the guide, its integration into standard onboarding, and a reduction in critical errors (e.g., weak passwords).
The Product: A simple, visually appealing, and easily understandable security brochure available in both digital (PDF) and printed formats.
The project conclusion
Final Outcome: Synthesis
& Real- Impact
Now, finally, it remained to synthesize the key project elements, evaluate the theoretical impact on the organization, and outline strategic next steps for continued security resilience.
Takeways
Creating a tailored, visually accessible guide integrated directly into standard onboarding ensures high visibility. It acts as a single, trusted source of truth, removing confusion about correct practices. Delivering it as "open data" empowers CIC to keep the content relevant, ensuring a sustainable solution.
Anticipated Impact
Introducing standardized password managers reduces the most critical vector for human error. Checklist protocols for onboarding and offboarding ensure a clean asset and access audit trail. Having a documented incident response plan reduces operational chaos and speeds up recovery from future breaches, ultimately protecting client trust.
What I learned:
The most crucial insight was prioritizing human factor analysis over purely technical solutions. The project validated that corporate security frameworks can be adapted for resource-constrained NGOs by focusing on human-centered design and iterative feedback, transforming abstract concepts into practical, adopted tools.
Next Steps
Identifying the strategic continuation for CIC’s cybersecurity framework.
Introduce basic systems to track guide adoption. Monitor how many staff and volunteers have implemented the primary recommendations, such as setting up a password manager. Implement regular, simplified security awareness training. This could include launching basic simulated phishing campaigns to teach threat recognition through practical, non-punitive examples.
Plan a secondary wave of policy implementation. Address identified gaps from the initial MoSCoW analysis (e.g., advanced cloud data management, penetration testing) once the foundational measures have stabilized Establish a structured system to collect ongoing feedback from staff about the guide's usability. Use this data for periodic, small-scale iterations to improve content clarity and relevance.
