Cybersecurity for non profit organisation
Addressing the "dark side" of digitalisation for NGOs. The target audience handles highly sensitive data but lacks the infrastructure of corporate entities, facing unique vulnerabilities that standard IT solutions cannot solve.
Year:
2025
Location:
Prague, Czech Republic
Design framework:
Design Thinking, Human-Centered Security
Tools:
Miro, Notion, Figma, Google Suite, Typeform
3D Hover Component
Connect a frame to the component.
Research
Define
Ideate
Outcome
The problem:
Five products, five different navigations. Users switching between Pluxee Portal, NGM and Personal Account were losing their bearings, because the sidebar told them different things in different places. The tell was in support: "switching between companies and systems" kept coming back as a friction point, and nobody on the product side could point to a single source of truth for how it should work.
Goal:
To design and implement a sustainable security framework. The primary goal is to audit vulnerabilities and introduce effective data protection protocols that foster institutional trust.
My role:
Cybersecurity consultant and project lead responsible for the initial audit, risk assessment, and the end-to-end implementation of security policies and staff training.
Methods:
Security audit and gap analysis
Stakeholder interviews
Risk assessment matrix
Data flow mapping
Vulnerability scanning
Security policy design
Implementation roadmap
Staff training materials
Impact evaluation
Feedback loops
Discovery
I started in the field, not in slides. Before designing any security measure, I needed to understand who CIC actually is, what data they hold, and where the human factor is most exposed. The goal was to capture real moments where a small NGO is most vulnerable, not to apply corporate frameworks blindly.
/01
Context & project scope
CIC (Centre for Integration of Foreigners) serves as a critical support hub for migrants in the Czech Republic. While the organisation manages highly sensitive personal and legal data, it operates as a small non-profit with limited budgets. Unlike large corporations, CIC lacks a dedicated IT department. This creates a dangerous paradox: they hold high-value data critical to clients' lives, but rely on minimal resources to protect it.
/02
Discovery and mindset
As my baseline approach, I chose Design Thinking combined with the principles of Human-Centered Security. This approach helps me focus primarily on people, their needs, behaviours, and limitations. My goal is not purely a technical solution. I am interested in situations where a person might make a natural mistake and how to design measures that are meaningful, understandable, and encourage secure behaviour.
/03
Why CIC?
Vulnerable target group. Enhancing cybersecurity protects the clients themselves and fosters institutional trust.
Practical need. As a smaller NGO, CIC lacks extensive IT resources, making it a perfect partner for implementing accessible security measures.
Local availability. Official collaboration was formalised to ensure project outputs will be practically applicable and beneficial in the real world.
/04
User research and audit
Before the primary stakeholder interviews, I formulated initial hypotheses regarding typical NGO vulnerabilities. I then created and distributed an entry audit questionnaire to understand CIC's actual maturity level in cybersecurity. This helped identify what processes were already in place and where the most critical gaps lay.
Identified pain points:
Password chaos. Staff highlighted passwords as a major issue. There is no unified system for creation, storage, or sharing, leading to unsafe workarounds.
Missing incident protocols. There is no formal incident response plan. In the event of a cyber attack or data breach, the organisation would face operational chaos.
Lack of training. Employees and volunteers completely lack regular cybersecurity awareness training, making the "human factor" the biggest vulnerability.
Define
After collecting evidence in the field, I distilled the work into a clear problem picture. This phase focused on naming what truly breaks cybersecurity for a small NGO, and translating scattered findings into a prioritised list and a single design challenge the team could act on.
/01
MoSCoW analysi
Based on the audit responses, I categorised the identified security gaps using the MoSCoW method. This clarified what the organisation must address immediately versus what can be planned for the future. The absolute "Must-Haves" were password management, staff training, and an incident response plan.
/02
Design challenge
"How might CIC strengthen its cybersecurity resilience when it lacks established processes for password management, staff training, and incident response, while simultaneously needing a simple way to handle asset management and cloud data?"
Ideate
Research told us where the service was breaking. The next step was to turn those findings into ideas the organisation could actually run with. The constraint was clear: any solution had to be simple enough for a small NGO to adopt without dedicated IT support.
/01
Brainwriting and "How Might We"
To address the design challenge, I translated the core problems into "How Might We" (HMW) questions. Through brainwriting, I generated potential solutions focusing on simplicity and low barriers to entry. Ideas included introducing password managers with easy onboarding, creating a 1-page incident "cheat sheet," and designing simulated phishing exercises.
/02
Validation interview
Before finalising the proposal, I conducted a validation interview with CIC management. The goal was to ensure the proposed measures aligned with their actual capacity. Together, we prioritised the Top 3 problems to solve:
Passwords and their management.
A security recommendation brochure for onboarding and offboarding.
A step-by-step guide in case of a cyber attack.
Deliver
Instead of overwhelming the NGO with complex corporate software, the solution takes the form of a tailored Digital Security Guide, based on the Cyber Compass framework. The output is something CIC can actually use, update, and integrate into their daily routine.
/01
Solution architecture
The Digital Security Guide is delivered as open data, allowing the organisation to easily update the content in the future. It is highly practical and directly integrated into the employee onboarding process.
/02
Key metrics for success
Key metrics for success
Adoption. The number of staff and volunteers who receive the guide.
Integration. Whether the guide is integrated into standard onboarding.
Error reduction. A measurable reduction in critical errors such as weak passwords.
/03
The product
A simple, visually appealing, and easily understandable security brochure available in both digital (PDF) and printed formats. It works as a single, trusted source of truth for staff, removing confusion about correct practices.
Outcome
/01
Impact
Introducing standardised password managers reduces the most critical vector for human error. Checklist protocols for onboarding and offboarding ensure a clean asset and access audit trail. Having a documented incident response plan reduces operational chaos and speeds up recovery from future breaches, ultimately protecting client trust.
/02
What I learned
The most crucial insight was prioritising human factor analysis over purely technical solutions. The project validated that corporate security frameworks can be adapted for resource-constrained NGOs by focusing on human-centered design and iterative feedback, transforming abstract concepts into practical, adopted tools.
/03
Next Steps
Adoption tracking. Introduce basic systems to track guide adoption. Monitor how many staff and volunteers have implemented the primary recommendations, such as setting up a password manager.
Regular awareness training. Implement simplified, recurring security awareness training, including basic simulated phishing campaigns to teach threat recognition through practical, non-punitive examples.
Secondary policy wave. Address identified gaps from the initial MoSCoW analysis (advanced cloud data management, penetration testing) once the foundational measures have stabilised.
Feedback loop. Establish a structured system to collect ongoing feedback from staff about the guide's usability. Use this data for periodic, small-scale iterations to improve content clarity and relevance.
