Who is this Handbook for?
This Handbook was written with a simple goal in mind: to help your civil society organization develop an understandable and implementable cybersecurity plan. As the world increasingly moves online, cybersecurity is not just a buzzword but a critical concept for the success of an organization and safety of a team. Particularly for civil society organizations in the democracy, advocacy, accountability, and human rights spaces, the security of information (both online and off) is a challenge that requires focus, investment and vigilance.
Your organization will likely find itself – if it has not already – the target of a cybersecurity attack. This is not intended to be alarmist; it is reality even for organizations that do not consider themselves to be particular targets.
In an average year, the Center for Strategic and International Studies, which maintains a running list of what they term “Significant Cyber Incidents," catalogs hundreds of serious cyber attacks, many of which target dozens if not hundreds of organizations at once. In addition to such reported attacks, there are likely hundreds of other smaller attacks each year that go undetected or unreported, many aimed at civil society organizations working to support democracy, accountability, and human rights. Organizations representing women or other marginalized groups are often particularly targeted.
Cyberattacks like these have significant consequences. Whether their aim is to take your money, repress your voice, disrupt your organizational operations, damage your reputation, or even steal information that can lead to psychological or physical harm to your partners or staff, such threats need to be taken seriously.
The good thing is that you do not need to become a coder or a technologist to defend yourself and your organization against common threats. However, you do need to be prepared to invest effort, energy, and time in developing and implementing a strong organizational security plan.
If you have never thought about cybersecurity in your organization, have not had time to focus on it, or know some basics about the topic but think your organization could enhance its cybersecurity, this Handbook is for you. Regardless of where you are coming from, this Handbook aims to give your organization the essential information it needs to put a strong security plan in place. A plan that goes beyond simply putting words on paper and enables you to put best practices into action.
What is a security plan and why should my organization have one?
A security plan is the set of written policies, procedures, and instructions your organization has agreed upon to achieve the level of security you and your team think is appropriate to keep your people, partners, and information safe.
A well-crafted and updated organizational security plan can both keep you safe and make you more effective by providing the peace of mind needed to focus on your organization’s important day-to-day work. Without thinking through a comprehensive plan, it is very easy to be blind to some types of threats, focusing too much on one risk or ignoring cybersecurity until there is a crisis.
When you start developing a security plan there are some important questions to ask yourself that form a process called a risk assessment. Answering these questions helps your organization understand the unique threats that you face and allows you to step back and think comprehensively about what you need to protect and from whom you need to protect it. Trained assessors, aided with systems like Internews’ SAFETAG auditing framework, can help lead your organization through such a process. If you can get access to that level of professional expertise it is well worth it, but even if you cannot undergo a full assessment, you should meet with your organization to thoughtfully consider these key questions:
What assets does your organization have and what do you want to protect?
You can start answering these questions by creating a catalog of all your organization’s assets. Information such as messages, emails, contacts, documents, calendars, and locations are all possible assets. Phones, computers and other devices can be assets. And people, connections, and relationships might be assets too. Make a list of your assets and try to catalog them by their importance to the organization, where you keep them (perhaps multiple digital or physical places), and what prevents others from accessing, damaging, or disrupting them. Keep in mind that not everything is equally important. If some of the organization’s data is a matter of public record, or information you already publish, they are not secrets that you need to protect.
Who are your adversaries and what are their capabilities and motivations?
“Adversary” is a term commonly used in organizational security. In simple terms, adversaries are the actors (individuals or groups) that are interested in targeting your organization, disrupting your work, and gaining access to or destroying your information: the bad guys. Examples of potential adversaries could include financial scammers, competitors, local or national authorities or governments, or ideologically or politically motivated hackers. It is important to make a list of your adversaries and think critically about who might want to negatively impact your organization and staff. While it is easy to envision external actors (like a foreign government or a particular political group) as adversaries, also keep in mind that adversaries can be people that you know, such as disgruntled employees, former staff, and unsupportive family members or partners. Different adversaries pose different threats and have different resources and capabilities to disrupt your operations and gain access to or destroy your information. For example, governments often have lots of money and powerful capabilities including shutting down the internet or using expensive surveillance technology; mobile networks and internet providers likely have access to call records and browsing histories; skilled hackers on public Wi-Fi networks have the capability to intercept poorly secured communications or financial transactions. You can even become your own adversary, for example, by accidentally deleting important files or sending private messages to the wrong person.
The motives of adversaries are likely to differ along with their capacity, interests, and strategies. Are they interested in discrediting your organization? Perhaps they are intent on silencing your message? Or maybe they see your organization as competition and want to gain an edge? It is important to understand an adversary's motivation because doing so can help your organization better assess the threats it might pose.
What threats does your organization face? And how likely and high-impact are they?
As you identify possible threats, you are likely to end up with a long list which can be overwhelming. You may feel any efforts would be pointless, or not know where to begin. To help empower your organization to take productive next steps, it is helpful to analyze each threat based upon two factors: the likelihood that the threat will take place; and the impact if it does.
To measure the likelihood of a threat (perhaps “low, medium or high” based on if a given event is unlikely to take place, could happen, or frequently happens), you can use information you know about your adversaries’ capacity and motivation, analysis of past security incidents, other similar organizations’ experiences, and of course the presence of any existing mitigation strategies your organization has put in place.
To measure the impact of a threat, think about what your world would look like if the threat actually did occur. Ask questions like “How has the threat harmed us as an organization and as people, physically and mentally?”, “How long-lasting is the effect?”, “Does this create other harmful situations?”, and “How does it hamper our ability to achieve our organizational goals now and in the future?” As you answer these questions, consider if the threat is low, medium, or high impact.
To help you manage this risk assessment process, consider using a worksheet, like this one developed by the Electronic Frontier Foundation. Keep in mind that the information you develop as part of this process (such as a list of your adversaries and the threats they pose) might itself be sensitive, so it is important to keep it secure.
Once you have categorized your threats by likelihood and impact, you can begin to make a more informed plan of action. By focusing on those threats that are most likely to happen AND that will have significant negative impacts, you will be channeling your limited resources in the most efficient and effective way possible. Your goal is always to mitigate as much risk as possible, but no one – not the most well-resourced government or company on earth – can ever fully eliminate risk. And that is OK: you can do a lot to protect yourself, your colleagues, and your organization by taking care of the biggest threats.