Digital security is all about tradeoffs: nonprofits have limited resources, and need to carefully assess risks and decide which threat scenarios are most critical. In this article we outline strategies for assessing risk, choosing security objectives, and provide sample policies to use as starting points.
Assessing Risk
To decide how best to use limited resources to protect your organization, first you need to think through possible worst case scenarios, and decide which are most important. Security professionals call this “threat modeling.” According to the EFF, “Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.” The EFF has a great guide on how to think about threat modeling here. The key is to identify a small number (like 3–5) of worst case scenarios that could actually happen to your organization that would have catastrophic consequences. Then you can build your security objectives and security plan around avoiding these worst case scenarios. Below are some example worst case scenarios to consider.
Leaked personal data: If you store user data of any kind, consider the risks associated with user personal information accidentally being made public without the consent of the user. Worst case scenario: staff or member home addresses get leaked and end up on hostile internet forums, leading to harassment, doxxing, or swatting of members or staff.
Leaked strategic communication: Some organizations communicate internally about plans and ideas that will become public within days, in the form of tweets, blog posts, press releases. The cost of leaking this information a half day early isn’t very high. But other organizations would be thoroughly compromised if internal communication was leaked to the public. Worst case scenario: sensitive strategic communication like internal emails or memos are leaked, and end up on the news.
Phishing: Staff email addresses are used as login credentials for most digital tools that nonprofit staff use to do daily work. This means that if a staff member fell for a phishing attack and an attacker gained access to that staff member’s email account, the attacker could access all the internal systems the staffer has access to through this email account. There are several worst case scenarios here: the attacker could use the compromised email account to access and download private data, or download and share internal-only communication, or even to request a transfer of funds out of the organization.
Choosing Security Objectives
Once you’ve identified ~3–5 worst case scenarios for your organization, now you can define your security objectives: what you will protect with your security policies and why. This involves a complex set of choices, because adding rules usually means adding work, cost, and time. The security benefits need to justify the costs. Some productivity tools trade off security and usability, some policies are so cumbersome that users work around them, and some protections are too expensive for small or medium organizations to afford. It’s important to choose tradeoffs that make the best use of your limited money and time, and that support processes your staff can and will actually use. Here are some tradeoffs to consider.
Centralize control? Do you roll out monitoring, remote access, or remote administration systems to all staff devices? Many organizations view this as critical for control over asset management, and software installation. But managing a program like this requires significant IT resources, and significant trust in the users who are administering the monitoring and remote installations. Centralized control = more control, but also a single point of security failure. Attackers only need to successfully break into a single IT administrator’s account to be able to get access to all staff devices. A similar tradeoff exists with antivirus software: while antivirus software protects users from many potential viruses, all a hacker would need to do to gain full access to all your internal systems and staff devices is hack the antivirus software, or wait for users to fall behind regular security updates. This is a real tradeoff, and one where different organizations may come to different conclusions based on their specialization and risk profiles.
How much to pay for tools? Having control over staff devices costs money and time, and having control over 3rd party software usually also costs more. Most nonprofits use productivity tools to do work, and having control over 3rd party data access, retention, and storage usually costs more money or time. Using “free” versions of tools is usually not actually free because most for-profit tech companies have business models built on harvesting, mining, and selling user data. The old maxim holds true: “If you are not paying for it, you’re not the customer; you’re the product being sold.” You can choose to spend more money and adopt paid versions of tools that allow for additional control over data retention, privacy, and access control. You can also choose to spend significant IT time and money hosting your own version of productivity tools you fully control. The key is deciding how you want to trade off control vs money and time, and how much money and time you are willing to spend for the control you want.
Usability vs privacy. Today, many tools built on privacy and security that include features like end-to-end encryption are harder to use than less secure tools. Privacy and usability aren’t inherently at odds, but privacy-grounded tech companies tend to have fewer resources because most for-profit tech companies have business models built on harvesting, mining, and selling user data. Decide how you will balance these tradeoffs: can you accept that 3rd parties could mine and sell your data? Can you accept the cost of investing extra time in training your staff on using less intuitive tools?
Understand system interconnectedness. Staff at most organizations use a handful of digital tools every day to do work, and often data and access flow between digital tools. In general with any ecosystem of digital tools, the entire system is only as secure as its weakest link. Email access is often a weakest link, as access to an email account grants access to all the systems the email account can access. For example, if your bank account website is registered with your personal email address, and an attacker gains access to your email, they can also gain access to your bank account by using the bank account’s “Forgot my password” feature with your email. Every organization’s tool ecosystem is different, and your system may have additional places where access to one account or tool grants access to other tools.
Sample Security Objectives:
- Use paid versions of off-the-shelf productivity tools that allow for control over data retention and access management
- Always adopt end-to-end encryption if it’s available.
- Adopt more user-friendly collaboration tools for most communication, and more secure collaboration tools for communication that needs to be explicitly private and protected.
- Invest time and effort training staff to protect themselves from phishing attacks
- Protect member personal identifying information in all systems
- Use the principle of least privilege to grant access to data and systems. Instead of by default granting everyone access to everything, be intentional about what data, systems, and strategic communication access is granted to staff and allies.
Sample Digital Security Policies
Once you’ve identified your most important worst case scenarios, and have defined security objectives that will guide you in protecting against these scenarios, you can write out security policies for your organization.
While any policy is better than no policy, it’s important to make sure you create policies that your organization understands and supports, and that you have the resources to enforce. Here are some example security policies to get you started.
Sample Security Checklist For Staff
- Password protect your phone and computer
- Enable Multi-Factor Authentication or 2-Step Verification on email
- Enable Login Verification or Multi Factor Authentication on all social media accounts including Facebook, Twitter, and Instagram
- Audit Account Recovery settings, especially for email: confirm that you can access your email’s ‘account recovery’ phone / email, and that the account recovery email address is also protected with Multi Factor Authentication
- If you use gmail, perform a “Security Checkup” on your google account to recent access locations and authorized apps are legitimate: https://myaccount.google.com/security-checkup
- Call your cell phone provider and put a pin on your cell phone account, to protect from SIM swap attacks
- Be vigilant about the ongoing risk of email phishing
- Be vigilant about social media impersonation attacks: verify all connection requests and direct messages and only share personal information with verified accounts
- Use a password manager to store passwords
- Use only strong passwords (longer is better), and never reuse passwords across accounts
- Keep all devices including phone and laptop up to date with software updates
Sample Personal Data Access Policy
- Do not share any staff personal identifying information internally or externally without consent of the staff member
- Do not forward email between organization’s email and your personal email. Do not use your personal email to manage, edit, or share the organization’s documents.
- Require permission to bulk download member email personal identifying information
- Delete all user data files after using
- Do not store lists of members or staff private information outside of approved document storage systems
Sample Retention Policies
Why should you care about retention policies? External parties can’t subpoena and hackers can’t steal information you do not store.
- Retain organizational email for 6 month window, and auto-delete email older than 6 months
- Retain chat messages for 90 days, and auto-delete chat older than 90 days
- Retain documents for a 6 month window, and auto-delete documents older than 6 months
Sample Credential Management Policy
- Use a password manager to store personal credentials, team credentials, to generate random strong passwords, and to safely copy and paste passwords when in public environments, like working from a coffee shop.
- When possible, teams should grant each user their own account, and avoid sharing accounts whenever possible.
- Use a password manager vaults for sharing credentials, and do not share passwords via google docs, email, chat, wiki, SMS.
- Avoid using listservs or groups for account usernames when possible. For example, if your organization’s Twitter account’s username is some-large-group@your-org.org then anyone subscribed to this group can change your org’s twitter password using Twitter’s “forgot password” feature.
- Always use 2 factor authentication when it’s available for accounts, including email, social media, and web-based services.
- Never reuse passwords.
- Always use strong passwords. All systems and data are only as safe as the weakest staff password.
Sample device policy:
- Password protected
- Enable disk encryption
- Enable firewall
- Keep current with its software updates
- Use privacy screens and webcam covers
Sample email administration policy:
- Enable multi-factor enforcement org-wide.
- Disallow auto-forwarding to external accounts, because you can’t control whether these external accounts have multi-factor enforcement enabled, and your org assets and data accessible via email are only as secure as the least secure account.
- Disallow any 3rd party email integrations that request deep access to staff email accounts. Explicitly whitelist approved integrations.
- New accounts should be created with temporary passwords that force a password change on first login.
- Disable POP and IMAP access.
Examples of most secure tools
Some data, communication, and processes need to be treated with the most security and protection. To achieve this goal, default to end-to-end encrypted tools, and communication mechanisms that leave minimal digital traces.
- Encrypted Email: ProtonMail or Manually encrypting text with PGP before sending over gmail
- End-to-end encrypted chat: Signal
- End-to-end encrypted calls: also Signal
- Keeping your location private while browsing: https://www.torproject.org/projects/torbrowser.html.en
- Do not expect privacy when communicating via cell phone calls or SMS
- Anonymize your browser signature https://panopticlick.eff.org/
- Use an adblocker browser plugin, like Privacy Badger: https://privacybadger.org/
- Use a search engine that doesn’t track and mine your data: https://duckduckgo.com/?va=z&t=hk
Sample Emergency Guidance for Staff
“Has my email been hacked?”
- If there’s any suspicion or doubt, change your password immediately
- Go through your email provider’s security audit processes, check for any access that appears to be someone other than you, also verify your account recovery methods
- Ask an email admin to run administrative reports on document access and email history to better understand what data (if any) was leaked
- Identify which other accounts had this email address specified as the backup email (like social media or bank accounts), and change all the passwords on those accounts too
“I received a phishing email”
- If you are at all unsure about whether the email is a phishing email, do not click on any of the links in this email, do not forward the email to others, and do not open any attachments.
- Submit untrusted links and files to VirusTotal, an online service that checks files and links against several different anti-virus engines and reports the results.
- Take a screenshot and ask for advice but please do not mass forward the email.
“I accidentally clicked on a phishing email!”
- If there’s any suspicion or doubt about what you clicked on or what you typed your email and password into, change your password immediately, and follow the steps listed above