Last week, School of Data asked us to put together a few tips for civil society organizations who want to improve their security practices and keep their communities and operations safe. This post is for organizations who are trying to wrap their heads around how to begin to address information security risks.
To be clear, the steps an organization can and should take are as diverse as the contexts they work in. If you are a team fighting corruption in an authoritarian state, have poor internet connectivity, face frequent power cuts, and run large scale data projects, you will obviously have different security needs than a team fighting to increase the amount of open data made available to constituents in a Global North country. Security risks and ‘mitigation tactics’ (read: ways to protect yourself) concern all aspects of work: staff size, organizational resources, office infrastructure, technical know-how of staff, types of services the team uses, current practices, past threats and attacks, and more.
To address security concerns it is smart and often necessary to have the support of an experienced security trainer who can help you determine the best course of action. If you are worried about your security, please contact a support organization that you have a relationship with and ask them to point you to a security support organization. But here are a few general tips for starting to understand your security situation.
- Understand what you have. This might seem obvious, but lots of organizations and teams collect so much information (emails, documents, financial information, spreadsheets, publications, mailing lists, etc.) that often times they don’t know what information they have. Try making as exhaustive a list as you can (and don’t forget physical documents!). Work through the list, and tag by sensitivity (1 being the least sensitive, 5 being super top secret), and importance for operations (1 being we could easily work without it, 5 if we lost it we’d be lost ourselves). With this list, you have a better understanding of what you have. Also remember, that this list is also a piece of information that is both sensitive and important for operations!
- Protect what you have from loss and unauthorized use. For things that are most sensitive, precautions should be taken to protect the information. Protecting information means limiting access to only people in the organization that need it, and putting systems in place so that the information cannot be easily accessed by those who are not granted permission. If information is rated as highly important for operations, make sure it is backed up regularly and that the backups are not stored in the same environment (and perhaps not even in the same country) as the originals.
- Only collect and save what you need to. If something is highly sensitive and not important for the organization, then you might have a problem collecting too much information that you don’t need. Use that information (about how you are collecting extra information that can only do you harm) to encourage more responsible data collection. If you don’t need it, don’t collect it. And if you already collected it and don’t need it, get rid of it. Got a list of names and personally identifiable information about participants from a workshop you did three years ago? Get rid of it!
- Promote individual learning within the organization. The security practice of each member of the organization affects the team as a whole. Provide opportunities and share information about improving security practices in the way that each individual uses digital tools and information. If you have regular learning opportunities for your team, make sure that security training is on offer. For example, if someone is accessing email related to sensitive work on their phone, provide guidance and training on how to make sure the information and the phone are protected.
- Identify people in your organization as future security heroes. Learning about, and pushing for, better security practices isn’t for everyone. Find people who are keen to learn more about how to protect information and encourage better security practices for the team. Provide professional development opportunities for them and once their skills are developed, trust them when they say something is important.
Some resources to check out if you want to read more about practical steps:
- Security in a Box – www.securityinabox.org (Front Line Defenders & Tactical Tech)
- Protection Manual for Human Rights Defenders – http://www.frontlinedefenders.org/manuals/protection (Front Line Defenders)