Nonprofits & NGOs · Case study

Protecting an international human rights NGO

7 min read

The organization

An international human rights NGO with a headquarters team of 25 and field offices in three countries. The organization documents human rights abuses, advocates before international bodies, and provides direct support to at-risk communities. They work with whistleblowers, witnesses, and partner organizations in politically volatile regions.

Their funders include major foundations and government development agencies — all of whom have increasingly specific requirements around data handling, incident response capability, and compliance documentation.

The problems

Funder compliance pressure without security resources. Two of their largest funders had started requiring evidence of cybersecurity controls — not just a policy document, but proof that defenses had been tested. The NGO had neither the budget nor the in-house expertise to run a proper security program, and hiring a full-time security lead was out of scope.
Donor and beneficiary data at risk. The organization managed donor records, beneficiary case files, and sensitive field reports across a mix of shared drives, email attachments, and a legacy CRM. No one had a clear picture of where sensitive data lived or who had access to it.
Field office communications were insecure. Staff in the field used personal WhatsApp accounts to communicate with headquarters. Video calls went through consumer-grade tools with no organizational control. Several staff members had been targeted with phishing attempts that mimicked legitimate communications from partner organizations.
No incident response capability. The organization had never experienced a confirmed breach, but they also had no way of knowing if one had occurred. There were no detection tools, no response plan, and no one designated to handle a security incident.

What we did

Phase 1: Security assessment and compliance mapping

We started with a comprehensive security assessment that served two purposes: identifying the actual risks the organization faced, and producing the documentation their funders required.

This wasn't a checkbox exercise. We mapped the organization's real threat landscape — including the specific threat actors known to target human rights organizations in their operating regions — and assessed their current controls against those threats. The output included both a technical remediation roadmap and a compliance-ready summary their grants team could share with funders.

Phase 2: Security awareness training

We ran role-specific training sessions for headquarters and field staff. For field teams, this meant practical training on recognizing targeted phishing, securing mobile devices, and safe communication practices when working in high-risk environments. For headquarters staff, we focused on handling sensitive data, recognizing social engineering, and understanding what to do (and who to call) if something looked wrong.

The training was built around the threats that actually target organizations like theirs — not generic corporate security slides about password hygiene.

Phase 3: Communications and collaboration infrastructure

We deployed Matrix/Element as the organization's encrypted communications platform, replacing personal WhatsApp and consumer video tools. This gave them end-to-end encrypted messaging and video conferencing with organizational user management, device verification, and retention controls — critical for an organization where a compromised communication channel could put people at physical risk.

For document management, we set up Nextcloud on our EU/Iceland infrastructure, providing encrypted file storage with version control, shared workspaces, and granular access controls. Field offices can securely access and share documents without sending sensitive files over email or storing them on personal devices.

Phase 4: Incident response readiness

We built a lightweight but functional incident response capability tailored to the organization's size and resources. This included a response plan with clear roles and escalation paths, pre-built communication templates, and a designated response contact at Secure Origin for the first 90 days.

We ran a tabletop exercise simulating a compromised field device — walking through detection, containment, notification, and recovery with the people who would actually be responsible. The exercise surfaced several gaps in communication between field offices and headquarters that were fixed before they mattered in a real incident.

The outcome

A documented security posture that satisfied funder requirements — backed by actual testing, not just policies
Practical, role-specific training for headquarters and field staff tailored to the threats they actually face
Encrypted communications and file storage under organizational control, with clear data residency in Iceland and the EU
An incident response plan that the team has actually practiced, with defined roles and escalation paths
A predictable monthly cost for managed infrastructure — no surprise bills, no per-seat enterprise pricing

"For the first time, we can tell our funders exactly how we protect the data they trust us with — and show them the evidence."

Services used

Does this scenario sound like your organization?

Every engagement starts with a scoping call — no sales pitch, just a conversation about your threats, your team, and what you need.

Schedule a call