The paradox of the digital space is that what makes an organisation strong can also be what makes it most vulnerable. For many Civil Society Organisations (CSOs) across Africa, digital threats are no longer distant concerns, they are present and real, often emerging from the inside, rather than from faceless hackers.
The RT-10 report highlights four critical areas where CSOs face significant digital risk: People, Processes, Policies and Platforms.
Let’s take a closer look.
People – The first line of defence or the biggest risk?
CSOs are often filled with passionate, experienced professionals and activists. But when it comes to digital security, passion alone isn’t enough. The RT-10 report found that although many CSOs are led by strong voices in the sector, only a small number of their staff have the training to understand basic or complex aspects of digital safety.
Only 25% of the CSOs surveyed had staff who had received any form of digital security training. Even more concerning, none had made such training mandatory.
It gets riskier at the top. Board members and high-profile personnel, because of their public visibility, were flagged as potential targets for cyberattacks. And in organisations where volunteers play a big role, there are even more gaps. Volunteers are often external to the organisation and are not subjected to the same oversight as staff, making them potential weak links.
Digital security starts with people. Every staff member, volunteer and board member needs to be trained and aware.
Processes – What happens when there are no guardrails?
If people are the first layer, processes are the invisible rules that help keep everything in check. Unfortunately, the RT-10 assessment shows that most CSOs do not have these rules in place.
For example, 75% of the CSOs lacked a consistent process for managing shared accounts. Many simply give all staff access to passwords, making it difficult to track or contain breaches. Even more worrying, only 37% had a clear process for revoking access when a staff member leaves.
Some CSOs admitted that they wait days or even weeks after someone exits before removing their access. That window can be dangerous, especially if the exit was not amicable.
Without clear and consistent processes, even the most well-meaning teams can open the door to serious threats.
Policies – The rules that no one is writing
You can’t follow rules that don’t exist. Yet that’s the reality for most CSOs in the study.
Only 12% had a documented digital security policy. That means no formal guidance on how to respond to an incident, what data needs to be protected or who is responsible for keeping systems secure.
Even though CSOs listed financial data and beneficiary information as their most sensitive data, there was often no clear plan on how to protect it. The absence of policies has led to inconsistent practices, overlooked threats and confusion about who should take action when something goes wrong.
A written policy gives clarity, creates accountability and forms the foundation for a culture of digital safety.
Platforms – Tools that work for you or against you
Technology is powerful, but only when it’s used properly. The report found that 75% of CSOs use cloud storage, often paired with external hard drives. While that’s a step in the right direction, many organisations still rely on informal sharing methods like WhatsApp or personal email. These may be convenient, but they fall short on security.
Only 33% of CSOs enforced rules preventing staff from using personal devices for work. And just 25% provided clear software guidelines or support for configuration. Most were using free or pre-installed software, which often comes with limitations or security gaps.
The risks increase further when remote work enters the picture. With many CSOs adopting hybrid or fully remote models post-COVID, secure access, encrypted communication and monitoring systems are more essential than ever.
Having the right tools is not enough. CSOs need clear policies on how to use them, who can access them and how to protect information across every platform.
The RT-10 assessment makes one thing clear — most digital threats don’t come from highly sophisticated hacks, they come from everyday gaps in knowledge, structure and awareness.
If you work in or support a CSO, this is your call to action. Digital safety must become part of your organisational culture, not just a checkbox. And it starts with the 4Ps:
- Train your people
- Build clear processes
- Write and update your policies
- Secure your platforms
Right now, it’s less about preventing attacks, and more about creating a system where your mission can thrive without digital disruption.
At Resilience Technologies, we help African civil society organisations and at-risk communities build stronger digital defences through practical, context-aware cybersecurity support and sturdy tools. We offer team training, incident response and digital risk assessments tailored to your needs. Our goal is simple — create a secure digital environment where your work can thrive without disruption. Send us an email info@rtafrica.org to get started.
Explore the full RT-10 Report.