Creating a sustainable cybersecurity ecosystem for a non-governmental organization

Abstract

This thesis explores the cybersecurity challenges faced by the Association of the Physically Disabled of Kenya (APDK), a Non-governmental organization (NGO) operating in a rapidly evolving digital landscape. Recognizing the financial and operational constraints typical of NGOs, the project aimed to design a sustainable cybersecurity ecosystem tailored to effectively address their unique needs, therefore, enabling the organization to securely advance its mission of supporting individuals with disabilities. It also sought to redefine how organizations in the Non-Governmental and Non-Profit sector perceive cybersecurity by simplifying its implementation and making it more accessible. These type of organizations have previously overlooked cybersecurity due to limited resources and a general lack of awareness, and the project aimed to bridge that gap through practical, cost-effective solutions. To assess and enhance the organization’s cybersecurity posture, the project used the NIST Cybersecurity Framework (CSF) 2.0 as a guideline for the project’s approach alongside the Cybersecurity Capability Maturity Model (C2M2). Key initiatives of the project included the utilization of Microsoft Entra ID for identity and access management, the creation of an automated incident reporting system using Microsoft Power Platform, and the development of security-related Key Performance Indicators (KPI) dashboards using Power BI that would help in the bolstering of the organization’s security posture and reduction of its attack surface. The strategy focused on maximizing the use of free and readily available technologies to minimize costs and ensure long-term maintainability. As a result, APDK achieved notable improvements in operational security, risk management practices, and made great steps to full alignment with the Kenyan Data protection act of 2019. The project findings showcased that even organizations with limited resources can significantly enhance their cyber resilience by adopting structured frameworks, leveraging existing tools, and investing in staff training and strong governance practices.