A Strong Foundation: Securing Accounts and Devices
Introduction
Why the focus on devices and accounts? Because they form the foundation of everything that your organization does digitally. You almost certainly access sensitive information, communicate internally and externally, and save private information on your devices and accounts. If they are not secure, then all these things and more can be put at risk.
For example, if hackers are watching your keystrokes or listening to your microphone, private conversations with colleagues will be captured no matter how secure your messaging apps are. Or, if an adversary gains access to your organization’s social media accounts, they could easily harm your reputation and credibility, undermining the success of your work. Therefore, it is essential as an organization to ensure that everyone is taking some simple but effective steps to keep their devices and accounts secure. It is important to note that these recommendations include personal accounts and devices as well, as those are often easy targets for adversaries. Hackers will gladly go after the easiest target and break into a personal account or home computer if your team is using them to communicate and access important information.
Secure Accounts and Civil Society
The widely publicized SolarWinds hack revealed in late 2020, which compromised over 250 organizations, including most United States government departments, technology vendors like Microsoft and Cisco, and NGOs, was partly a result of hackers guessing poor passwords that were used on important administrator accounts. Overall, about 80% of all hacking-related breaches occur because of weak or reused passwords.
With the increasing prevalence of password breaches like this and easier access for all kinds of adversaries to sophisticated password hacking tools, two-factor authentication is a security must-have for civil society organizations. One example of civil society accounts under attack was reported by Facebook in 2020. According to their report, hacking groups in Bangladesh targeted the accounts of local civil society activists, journalists, and religious minorities. Unfortunately the hackers were able to successfully compromise some of these Facebook accounts, including an administrator for a local group’s Facebook Page. With access to the admin account, the hackers removed the remaining admins and took over and disabled the page, preventing the group from sharing key information and communicating to their audience. Facebook’s investigation discovered that the accounts were likely compromised through various means, including abuse of its account recovery process. If all the accounts had been using two-factor authentication, such attacks would have been much more difficult for the hackers to effectively execute.