August 28, 2025
In May 2017, a ransomware attack known as WannaCry hit more than 300,000 computers in 150 countries in just six hours, including systems that supported the United Kingdom’s National Health Service. Six weeks later, a malware attack called NotPetya disabled computers in Ukraine, wreaking havoc on transit systems, banks, and utilities.
It’s easy to think about cybercrime simply as attacks on computers, but the reality is that cyberattacks are often devastating to the lives and livelihoods of real people. Thanks to the extensive global reach of its products, Microsoft acutely understands the vast human impact of cybercrime.
In the wake of the WannaCry and NotPetya attacks, Microsoft’s cybersecurity leaders began thinking about ways to use the company’s reach and knowledge to help bring greater safety and stability to cyberspace. They envisioned an independent, international nonprofit organization that could bring Microsoft’s data and intelligence on cybercrime together with data from other companies to better identify and understand global threat actors.
Microsoft joined Mastercard and the Hewlett Foundation to design and fund the new organization, working with advisors from the public and private sectors. In 2019, the vision became reality with the founding of the CyberPeace Institute (CPI). “CPI is a completely neutral and independent organization that works to provide an honest view of the state of the internet,” says Adrien Ogée, COO of CPI.
In addition to advocacy and independent analysis of cyberthreats, CPI is dedicated to helping vulnerable communities and organizations, particularly NGOs, strengthen their security. “Nobody was serving under-resourced organizations at scale,” Ogée says. One key reason: it’s prohibitively expensive and difficult to vet volunteers to make sure they are both qualified and trustworthy, to ensure they don’t compromise organizations’ security, whether by accident or by design.
To solve the problem, CPI created the CyberPeace Builders program, which connects security professionals at trusted private companies with NGOs around the world.
Today, CPI is able to make an impact, at scale, with a global network of 1,500 volunteers, including many security experts at Microsoft. Their experience sheds light on the issues facing NGOs and what can be done to help create a safer, more secure online world.
NGOs are vulnerable targets for cybercrime
Volunteers with CyberPeace Builders routinely encounter a sobering reality: many NGOs operate with minimal cybersecurity safeguards. This is understandable, says Minu Singha, a senior account manager at Microsoft who started volunteering with CPI in 2021. Nonprofit organizations rarely have funding for security staff and technology, she says, because they put whatever resources they have toward their mission: “If they are focusing on distributing food to places where a natural disaster has happened, they don’t think of putting that money in security.”
As a result, however, NGOs often lack protections like complex password policies and Multi-Factor Authentication—creating vulnerabilities that are especially troubling given the sensitive nature of their work.
Often, the gap is not about money but expertise. Tamás Szivós-Aradi, a security solutions engineer at Microsoft based in Switzerland, found that the NGOs he worked with through the CyberPeace Builders program sometimes lacked protections that didn’t cost anything—they just hadn’t turned on security features that were included in products they were already using.
Weak security makes NGOs an easy target for threat actors. In the last four years alone, CPI identified 155,993 cyberattacks against nonprofits.
But why would a cybercriminal, particularly a nation-state actor, bother to target an NGO, which lacks the deep pockets of a commercial enterprise?
A back door for nation-state actors
“Nation-state threat actors used to focus on stealing government intelligence, but over the last few years, we’ve seen them shift their focus to disrupting a country,” says Jean-Paul van Ravensberg, a senior technical specialist with Microsoft Elevate, Microsoft’s internal organization that supports schools, community colleges, and nonprofit organizations globally. “Nonprofits have a lot of data about vulnerable people, vulnerable societies, and what’s really happening on the ground in a particular country. If a nation-state actor can steal that data and expose it, that will cause the disruption they’re looking for.”
Additionally, small NGOs can provide an entry point to larger organizations.
Szivós-Aradi worked with CPI to volunteer with a nonprofit organization that promotes ethical incarceration and facilitates information sharing between prisons and government agencies. “If I’m a threat actor and I manage to breach this NGO,” he says, “I might be able to send an email with a phishing link in it to a specific government employee from an email address at a partner at the organization.” That employee is much more likely to click a link in a message if it comes from a known partner.
Szivós-Aradi sees this as a variation of supply-chain risk, a big issue for his enterprise clients. “Threat actors reach their targets through their providers, and it’s very difficult to defend against,” he says. “To secure the whole chain, we have to improve the security of every single link.”
Foundational steps go a long way
CPI volunteers receive materials and presentation guidance they can use to train a small group of people, who then train others in their organization. Helping organizations implement foundational security practices such as multifactor authentication (MFA), security awareness programs and advising on data security best practices brings enormous value. van Ravensberg points out that MFA alone stops 99% of attacks on NGOs. And following up after training with a simulation to test an NGO’s staff takes little time from a volunteer, but it makes a big difference. “We don’t need to wait for a real attacker to send a phishing email to find the vulnerabilities,” Singha says.
When asked why it’s important for private sector security professionals to give their time to NGOs, Szivós-Aradi has a blunt answer: “What’s the alternative?” Security expertise is a scarce resource that companies like Microsoft have in abundance, and nation-state cyberthreats affect everyone, not just the public sector.
“It’s very, very difficult for nonprofit organizations to be able to access skilled security professionals, and CPI bridges that gap,” van Ravensberg says. Cuts to USAID have reduced NGOs’ funding and resources even further, making public-private partnerships like CyberPeace Builders more important than ever. “If there is a moment for people to think, ‘I want to step up,’” he says, “that moment is now.”
